This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
gemechisd
Contributor
‎2023-08-30 05:06 AM

Tunnel Sharing

I have IPsec VPN with third party having FortiGate VPN Firewall. There are 5 Encryption Domains (ED's) on the same peer with different VLAN's but defined as a host.

The tunnel management option I have selected is "One VPN Tunnel per Gateway pair". What problem does it cause? Or Which tunnel management option I have to select? In order for all ED's to be up on phase 2?

Preview file
8 KB
0 Kudos
4 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-08-30 05:36 AM

What does not work with the current settings ? And what do you mean by: there are 5 Encryption Domains (ED's) on the same peer with different VLAN's but defined as a host ? Maybe a rough topology sketch will help to understand it.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2023-08-30 06:49 AM

Here is what I will tell you. From all my experience with CP vpn tunnels, I learned some important things that I believe should be taken into considerations.

First off, not sure how long you been around CP, but in the old days of Check Point, and Im talking probably R60 and before, CP would ALWAYS try to present largest possible subnet to the peer, no matter if it was explicitly configured to say send /29, it would always try to send /24 or larger subnet. Thats not so much issue these days, but just to be on the safe side, I would verify below settings in Gudbedit are set to FALSE

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

 

 

Now, onto main thing I wanted to discuss. That setting, one vpn tunnel per gateway pair, personally, I would ONLY use that if its permanent route based tunnel with Say Azure or AWS, but if its regular domain based, do not use that setting, unless its combination of subnets/hosts in your CP enc. domain.

Keep in mind as well, with Fortigate or PAN, makes no difference if you select 0.0.0.0/0 phase 2 selectors, it really comes down to what you have defined in the policy itself for VPN traffic.

Hope that helps, but if you need more explanation, we can do the call/remote session. Let me know.

Cheers,

Andy

0 Kudos
Matlu
Advisor
‎2023-09-12 08:29 AM
In response to the_rock

Hola, Hermano 😎

Reading this post thread, I ask you ... in your experience, if you use the "... per Gateway pair" in a traditional VPN (other than against AWS, GCP, Azure) I understand, that Checkpoint here presents phase 2 as a 0.0.0.0.0/0.

So, the remote peer, in its phase 2, would also have in any case to "configure" its phase 2, with the same value?

That is with a 0.0.0.0.0/0?

0 Kudos
the_rock
Legend
Legend
‎2023-09-12 08:48 AM
In response to Matlu

Not necessarily. It all depends what you assign for the VPN domain. See, CP works a bit different when it comes to these things compared to say Fortigate or Cisco or even PAN. But, from my experience, when it comes to Azure or AWS vpn, we always tell customers to ensure empty group is assigned for vpn domain and per gateway option is selected.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events