This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
AndrewZ
Explorer
‎2019-08-12 12:03 AM

IPsec VPN packet flow.

Hello all!

 

I have a simple question but I can't clarify this point by googling.

 

I have box under R77.30 and IPsec community based VPN.

The IPsec is a legacy solution  and I need to migrate some networks to L3VPN which available via 802.1Q subinterface on firewall. 

By now, I use an aggregated prefix 10.0.0.0/8(at remote site) throught IPsec. I need migrate 10.1.1.0/24 to L3VPN.

Can I just make new static through L3VPN subinterface or I should change IPsec settings(exclude10.1.1.0/24  from encryption domain or etc.)?

 

The general point is where exactly the crypto policy is applyed.

 

Thanks in advance.

Regards.

0 Kudos
Reply
3 Replies
PhoneBoy
Admin
Admin
‎2019-08-12 06:07 AM

Your local encryption domain would include anything that needs to be encrypted when forwarded to the remote site.
This is generally everything off your Internal interfaces, but not always.
The definition of the remote encryption domain must likewise match what the remote site is providing you access to.

A network diagram of current and future state would be helpful in answering your question.
0 Kudos
Reply
AndrewZ
Explorer
‎2019-08-20 05:51 AM
In response to PhoneBoy

Hello PhoneBoy! Thanks for your answer.

 

By now, I have remote encryption domain which contains 10.0.0.0/8. I would like to switch traffic for remote network 10.1.1.0/24 through L3VPN. What should I reconfigure in sense on encryption domains?image.png 

 

Regards, Andrey.

0 Kudos
Reply
PhoneBoy
Admin
Admin
‎2019-08-21 09:53 AM
In response to AndrewZ

You don't need to change the encryption domain here.
What you should do is configure the L3VPN interface on the Check Point as a "Trusted Link."
Any traffic sent on that interface will be sent unencrypted.
See: https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_SitetoSiteVPN_AdminGuide/htm...
0 Kudos
Reply