Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

S2S VPN & Overlapping Encryption Domains

We have two Checkpoint appliances - one at site A and one at site B. Both sites have their own local ISP connection in addition to a P2P circuit interconnecting the two sites. The P2P link is provided via the downstream Core switches and provides redundancy to route site A's traffic out site B's ISP and vice versa in the event an ISP goes down at a single site. The core switches use OSPF to share routes between the sites.

Site B is new and for the longest time we had all of our VPNs to 3rd party vendors terminate at Site A. Now that we need to build a new VPN to a 3rd party vendor, we must ensure both Site A and Site B have their own VPN to the vendor and ensure that Site A can route across to the P2P and out Site B's VPN in the event of a failure at Site A and vice verse. Furthermore, Site A's traffic to the vendor will be SNATd behind 10.220.0.0/25 and Site B's traffic to the vendor will be SNATd behind 10.220.1.0/25 so traffic from the vendor to us will only have one path regardless of which site our traffic comes from.

  • Since the local encryption domain (10.220.0.0/25, 192.168.101.0/24, 192.168.105.0/24, 10.220.1.0/25, 10.1.101.0/24 and 10.1.105.0/24) and remote encryption domain (192.30.110.0/28 & 208.229.189.80/28) for both sites will be the same, is this a supported config?
  • I was envisioning using two star communities - SiteA-Vendor and SiteB-Vendor unless there is a better way to handle this scenario.
  • SK106837 indicates that a full overlap is supported, however, does this apply to a single gateway or multiple gateways?
  • Is an overlap in encryption domains only applicable to a single gateway across multiple VPN communities (i.e my scenario is supported)?

Coming from a background of primarily route based VPNs, this would be a fairly easy configuration with no consideration to overlaps. We're currently using domain based VPNs but I'm thinking the best path forward would be using routed based VPNs and migrating all domain based VPNs to routed based.

I've attached a network diagram to outline my topology.

 

0 Kudos
1 Reply
Highlighted
Platinum

$FWDIR/conf/vpn_route.conf

search for sk for it here, was mentioned like few months ago I believe...
Jerry
0 Kudos