This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AndrewZ
Explorer
‎2019-08-12 12:03 AM

IPsec VPN packet flow.

Hello all!

 

I have a simple question but I can't clarify this point by googling.

 

I have box under R77.30 and IPsec community based VPN.

The IPsec is a legacy solution  and I need to migrate some networks to L3VPN which available via 802.1Q subinterface on firewall. 

By now, I use an aggregated prefix 10.0.0.0/8(at remote site) throught IPsec. I need migrate 10.1.1.0/24 to L3VPN.

Can I just make new static through L3VPN subinterface or I should change IPsec settings(exclude10.1.1.0/24  from encryption domain or etc.)?

 

The general point is where exactly the crypto policy is applyed.

 

Thanks in advance.

Regards.

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2019-08-12 06:07 AM

Your local encryption domain would include anything that needs to be encrypted when forwarded to the remote site.
This is generally everything off your Internal interfaces, but not always.
The definition of the remote encryption domain must likewise match what the remote site is providing you access to.

A network diagram of current and future state would be helpful in answering your question.
0 Kudos
AndrewZ
Explorer
‎2019-08-20 05:51 AM
In response to PhoneBoy

Hello PhoneBoy! Thanks for your answer.

 

By now, I have remote encryption domain which contains 10.0.0.0/8. I would like to switch traffic for remote network 10.1.1.0/24 through L3VPN. What should I reconfigure in sense on encryption domains?image.png 

 

Regards, Andrey.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-08-21 09:53 AM
In response to AndrewZ

You don't need to change the encryption domain here.
What you should do is configure the L3VPN interface on the Check Point as a "Trusted Link."
Any traffic sent on that interface will be sent unencrypted.
See: https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_SitetoSiteVPN_AdminGuide/htm...
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events