Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Explorer

IPsec VPN packet flow.

Hello all!

 

I have a simple question but I can't clarify this point by googling.

 

I have box under R77.30 and IPsec community based VPN.

The IPsec is a legacy solution  and I need to migrate some networks to L3VPN which available via 802.1Q subinterface on firewall. 

By now, I use an aggregated prefix 10.0.0.0/8(at remote site) throught IPsec. I need migrate 10.1.1.0/24 to L3VPN.

Can I just make new static through L3VPN subinterface or I should change IPsec settings(exclude10.1.1.0/24  from encryption domain or etc.)?

 

The general point is where exactly the crypto policy is applyed.

 

Thanks in advance.

Regards.

0 Kudos
3 Replies
Highlighted
Admin
Admin

Your local encryption domain would include anything that needs to be encrypted when forwarded to the remote site.
This is generally everything off your Internal interfaces, but not always.
The definition of the remote encryption domain must likewise match what the remote site is providing you access to.

A network diagram of current and future state would be helpful in answering your question.
0 Kudos
Highlighted
Explorer

Hello PhoneBoy! Thanks for your answer.

 

By now, I have remote encryption domain which contains 10.0.0.0/8. I would like to switch traffic for remote network 10.1.1.0/24 through L3VPN. What should I reconfigure in sense on encryption domains?image.png 

 

Regards, Andrey.

0 Kudos
Highlighted
Admin
Admin

You don't need to change the encryption domain here.
What you should do is configure the L3VPN interface on the Check Point as a "Trusted Link."
Any traffic sent on that interface will be sent unencrypted.
See: https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_SitetoSiteVPN_AdminGuide/htm...
0 Kudos