Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Danny
Champion Champion
Champion

VPN Limitation: Encryption domain > supported objects per tunnel type

Check Point RnD informed us, that there is an important limitation for VPN Site-to-Site tunnels to consider:

The only tunnel sharing method that supports a mix of network object types (hosts, ranges, networks etc.) is "tunnel per Gateway pair". "tunnel per each pair of hosts" must include host objects only and "tunnel per subnet pair" must include network objects only. Anything else is considered a misconfiguration.
image.png

(1)
18 Replies
Magnus-Holmberg
Advisor

That one should really be put in to a "info" box on each option here.
Always struggling with more advance vpn boxes and ends up using user.def file to make sure its how i want to to be configured.

https://www.youtube.com/c/MagnusHolmberg-NetSec
the_rock
Legend
Legend

I know Phoneboy mentioned in one of the posts that there are lots of new options coming for VPN settings in smart console starting R82 version, so this might be one of them, we shall see : - )

Andy

0 Kudos
Magnus-Holmberg
Advisor

I hope they fix so you can see standard issues in the log aswell and dont need to actually debug the traffic to figure out you sending the incorrect subnetmask or similar 🙂

https://www.youtube.com/c/MagnusHolmberg-NetSec
(1)
the_rock
Legend
Legend

That would be super useful 🙂

0 Kudos
the_rock
Legend
Legend

In 15 years, I never knew of that. But, in all honesty, maybe that never used to be an issue in old versions, cant recall now : - )

Thanks for sharing!

Andy

0 Kudos
DT44
Explorer

Just checking, do we know how these settings affect dynamic objects? When a dynamic object is added to a gateway it can be configured to include individual host IPs, network ranges, or both.

0 Kudos
PhoneBoy
Admin
Admin

To the best of my knowledge, dynamic objects cannot be added to an encryption domain.

0 Kudos
the_rock
Legend
Legend

Technically, you can, but policy will fail : - )

0 Kudos
Gary_Scott
Contributor

0 Kudos
PhoneBoy
Admin
Admin

This I am aware of, but it must be done as described or it will not work 🙂

0 Kudos
Zolocofxp
Collaborator

Having "One VPN tunnel per subnet pair" will let you establish tunnels  between HOST<>NET and NET<>NET.

 

image.png

0 Kudos
the_rock
Legend
Legend

Thats debatable, does not always work. I find that tunnel per gateway pair will do that 100% of the time.

Andy

0 Kudos
Zolocofxp
Collaborator

One tunnel per gateway is ideal... It just establishes a single 0.0.0.0/0 tunnel.
image.png

0 Kudos
the_rock
Legend
Legend

Thats pretty much generic for any vendor, but yes, thats indeed true.

0 Kudos
SenpaiNoticed_U
Employee
Employee

For a Host object in the domain, the SA will attempt use an exact IP or in some cases I have seen it convert the IP into a /24,
While the Tunnel management is set to Subnet pair.
so if the host object is to a Peer subnet, the SA will appear like this:
| My TS: 10.140.250.1
| Peer TS: 192.168.1.0/24
or like this
| My TS: 10.140.250.0/24
| Peer TS: 192.168.1.0/24

However,
You can have it use a /32.
so if you use a network object that is a /32 instead.
you will get a SA like:
| My TS: 10.140.250.1/32
| Peer TS: 192.168.1.0/24
================

You may also be able to force it to the exact subnet you wish with user.def.FW1 edits.

But I would recommend to use Network objects for Subnet Pairing.


the_rock
Legend
Legend

In old days on CP and we are talking probably 15 years ago (or more), it was so annoying to have to always change guidbedit setting(s) for supernat, as it would always try to present largest possible subnet, specially with Cisco VPN tunnel.

Glad thats sorted out in R80 + : - )

Andy

0 Kudos
SenpaiNoticed_U
Employee
Employee

Yes, and now with R81, Permanent Tunnels are set tp DPD for Interoperable devices be default.

the_rock
Legend
Legend

I was very happy with that change!

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events