This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Danny
Champion Champion
Champion
‎2023-08-03 02:08 AM

VPN Limitation: Encryption domain > supported objects per tunnel type

Check Point RnD informed us, that there is an important limitation for VPN Site-to-Site tunnels to consider:

The only tunnel sharing method that supports a mix of network object types (hosts, ranges, networks etc.) is "tunnel per Gateway pair". "tunnel per each pair of hosts" must include host objects only and "tunnel per subnet pair" must include network objects only. Anything else is considered a misconfiguration.
image.png

(1)
18 Replies
Magnus-Holmberg
Advisor
‎2023-08-03 03:32 AM

That one should really be put in to a "info" box on each option here.
Always struggling with more advance vpn boxes and ends up using user.def file to make sure its how i want to to be configured.

https://www.youtube.com/c/MagnusHolmberg-NetSec
the_rock
Legend
Legend
‎2023-08-03 07:06 AM
In response to Magnus-Holmberg

I know Phoneboy mentioned in one of the posts that there are lots of new options coming for VPN settings in smart console starting R82 version, so this might be one of them, we shall see : - )

Andy

0 Kudos
Magnus-Holmberg
Advisor
‎2023-08-03 07:34 AM
In response to the_rock

I hope they fix so you can see standard issues in the log aswell and dont need to actually debug the traffic to figure out you sending the incorrect subnetmask or similar 🙂

https://www.youtube.com/c/MagnusHolmberg-NetSec
(1)
the_rock
Legend
Legend
‎2023-08-03 07:35 AM
In response to Magnus-Holmberg

That would be super useful 🙂

0 Kudos
the_rock
Legend
Legend
‎2023-08-03 07:05 AM

In 15 years, I never knew of that. But, in all honesty, maybe that never used to be an issue in old versions, cant recall now : - )

Thanks for sharing!

Andy

0 Kudos
DT44
Explorer
‎2023-08-15 07:14 AM

Just checking, do we know how these settings affect dynamic objects? When a dynamic object is added to a gateway it can be configured to include individual host IPs, network ranges, or both.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-15 02:48 PM
In response to DT44

To the best of my knowledge, dynamic objects cannot be added to an encryption domain.

0 Kudos
the_rock
Legend
Legend
‎2023-08-15 03:01 PM
In response to PhoneBoy

Technically, you can, but policy will fail : - )

0 Kudos
Gary_Scott
Contributor
‎2023-09-23 08:24 PM
In response to PhoneBoy

FYI,  https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-25 11:16 AM
In response to Gary_Scott

This I am aware of, but it must be done as described or it will not work 🙂

0 Kudos
Zolocofxp
Collaborator
‎2023-09-26 09:04 AM

Having "One VPN tunnel per subnet pair" will let you establish tunnels  between HOST<>NET and NET<>NET.

 

image.png

0 Kudos
the_rock
Legend
Legend
‎2023-09-26 09:05 AM
In response to Zolocofxp

Thats debatable, does not always work. I find that tunnel per gateway pair will do that 100% of the time.

Andy

0 Kudos
Zolocofxp
Collaborator
‎2023-09-26 09:14 AM
In response to the_rock

One tunnel per gateway is ideal... It just establishes a single 0.0.0.0/0 tunnel.
image.png

0 Kudos
the_rock
Legend
Legend
‎2023-09-26 09:16 AM
In response to Zolocofxp

Thats pretty much generic for any vendor, but yes, thats indeed true.

0 Kudos
SenpaiNoticed_U
Employee
Employee
‎2023-09-26 11:37 AM

For a Host object in the domain, the SA will attempt use an exact IP or in some cases I have seen it convert the IP into a /24,
While the Tunnel management is set to Subnet pair.
so if the host object is to a Peer subnet, the SA will appear like this:
| My TS: 10.140.250.1
| Peer TS: 192.168.1.0/24
or like this
| My TS: 10.140.250.0/24
| Peer TS: 192.168.1.0/24

However,
You can have it use a /32.
so if you use a network object that is a /32 instead.
you will get a SA like:
| My TS: 10.140.250.1/32
| Peer TS: 192.168.1.0/24
================

You may also be able to force it to the exact subnet you wish with user.def.FW1 edits.

But I would recommend to use Network objects for Subnet Pairing.


the_rock
Legend
Legend
‎2023-09-26 11:44 AM
In response to SenpaiNoticed_U

In old days on CP and we are talking probably 15 years ago (or more), it was so annoying to have to always change guidbedit setting(s) for supernat, as it would always try to present largest possible subnet, specially with Cisco VPN tunnel.

Glad thats sorted out in R80 + : - )

Andy

0 Kudos
SenpaiNoticed_U
Employee
Employee
‎2023-09-26 11:47 AM
In response to the_rock

Yes, and now with R81, Permanent Tunnels are set tp DPD for Interoperable devices be default.

the_rock
Legend
Legend
‎2023-09-26 11:55 AM
In response to SenpaiNoticed_U

I was very happy with that change!

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events