Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Can CP build IPSec over GRE VPN with other manufactor device?

Jump to solution

Can CP build IPSec over GRE VPN with other manufactor device? Or is it CP supported IPSec over GRE VPN? If yes, who can describe how to build it?

1 Solution

Accepted Solutions
Highlighted

Nokia IPSO had GRE tunnel capability, but it was not brought forward into Gaia on the standard gateways:

sk92845: Can users create a GRE tunnel on Gaia OS?

I had a prolonged email thread with various individuals inside Check Point asking if the standard gateways supported GRE on behalf of a customer but never got a direct answer, and kept getting asked instead if it was for NSaaS/CloudGuard.

So it appears that CloudGuard does support GRE capability, although it is not recommended:

sk157893: Check Point recommendations for tunneling through IPsec instead of GRE

There was also sk148852 describing how to set up a GRE tunnel on a Check Point gateway, but it was removed at some point:

sk148852.jpg

GRE tunnel termination capability doesn't seem to be present on the standard gateways from what I can see, but an official statement from Check Point in an SK as to exactly which situations GRE tunnel termination is supported on a Check Point gateway would be helpful, as I keep getting this question in classes and such.  Yes, GRE traffic created elsewhere can transit a Check Point and even be encrypted/decrypted in an IPSec VPN implemented by a Check Point gateway, the question is what are Check Point's capabilities to actually create/terminate a GRE tunnel on the gateway itself, whether it is via the Gaia OS or the Check Point firewall software.  Looks like it is available in CloudGuard and nowhere else, correct?

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post

2 Replies
Highlighted

Nokia IPSO had GRE tunnel capability, but it was not brought forward into Gaia on the standard gateways:

sk92845: Can users create a GRE tunnel on Gaia OS?

I had a prolonged email thread with various individuals inside Check Point asking if the standard gateways supported GRE on behalf of a customer but never got a direct answer, and kept getting asked instead if it was for NSaaS/CloudGuard.

So it appears that CloudGuard does support GRE capability, although it is not recommended:

sk157893: Check Point recommendations for tunneling through IPsec instead of GRE

There was also sk148852 describing how to set up a GRE tunnel on a Check Point gateway, but it was removed at some point:

sk148852.jpg

GRE tunnel termination capability doesn't seem to be present on the standard gateways from what I can see, but an official statement from Check Point in an SK as to exactly which situations GRE tunnel termination is supported on a Check Point gateway would be helpful, as I keep getting this question in classes and such.  Yes, GRE traffic created elsewhere can transit a Check Point and even be encrypted/decrypted in an IPSec VPN implemented by a Check Point gateway, the question is what are Check Point's capabilities to actually create/terminate a GRE tunnel on the gateway itself, whether it is via the Gaia OS or the Check Point firewall software.  Looks like it is available in CloudGuard and nowhere else, correct?

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com

View solution in original post

Highlighted
Admin
Admin
sk148852 related to what was then called CloudGuard NSaaS (now called CloudGuard Connect).
It doesn't apply to GloudGuard IaaS (or any modern Check Point gateway).
As far as I know, there is no plan to support terminating GRE tunnels on Check Point Gateways.