This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Brianpiraty_Ale
Contributor
‎2018-04-25 07:02 AM

IPsec tunnel encryption

I am planning create IPsec tunnel between my checkpoint firewall and cisco firewall.

My firewall IP is 10.130.40.50.  and I have other interface configured with subnet as 192.168.252.0/24 and 192.168.240.0/24.

in the VPN domain on firewall , If create the encryption domain as 10.130.40.0/24 and if I have the rules to allow the traffic from 192.168.252.0 and 192.168.240.0 to the remote networks behind the cisco firewall, will the traffic encrypted?

or should I include 192.168.252.0/24 and 192.168.240.0/24 also in the encryption domain?

0 Kudos
13 Replies
KennyManrique
Advisor
‎2018-04-25 07:28 AM

The encryption domain represents the traffic that participates in VPN Tunnel.

If you want traffic from 192.168.252.0/24 and 192.168.240.0/24 traverse the tunnel, must include both networks as group for local encryption domain, so this way the Check Point knows that traffic from those two sources has to be encrypted to reach Cisco's encryption domain.

Regards.

Brianpiraty_Ale
Contributor
‎2018-04-25 07:44 AM
In response to KennyManrique

1. do I need to include the checkpoint firewall IP subnet ( this the interface the tunnel terminated) in the encryption domain?

2. what if I include only the firewall IP subnet in the encryption domain?

0 Kudos
KennyManrique
Advisor
‎2018-04-25 08:01 AM
In response to Brianpiraty_Ale

1. You dont need to include the external IP of Check Point Firewall in the encryption domain. By default in Simplified Mode, the external IP addresses of the Gateways participating in the community are included implicitely in the encryption domain, so all traffic between both external IP's  is encapsulated inside the tunnel except for IKE and ESP traffic. This is an advantage when you use Check Point Gateways on both ends. The recommendation if you want to reach the 3rd party device is add an exclusion in crypt.def file; otherwise by default the Check Point gateway will try to encrypt traffic such as ping or tcp when the destination is Peer's IP.

2.If you include only the IP, basically you wont be able to negotiate the LAN to LAN tunnel (use your local LANs to traverse across the tunnel). What you do with this is encrypt the traffic from and to the firewall only, which doesnt make sense because you cant use your LAN devices inside the tunnel.

Brianpiraty_Ale
Contributor
‎2018-04-25 08:29 AM
In response to KennyManrique

Thanks. one more question. This is with Route based VPN

I read some where we need to have IPSEC/IKE in the excluded services is that true?

0 Kudos
KennyManrique
Advisor
‎2018-04-25 08:50 AM
In response to Brianpiraty_Ale

If you will use route based vpn then you will need to create empty groups as encryption domains (This way Route based VPN will take precedence over Domain based VPN in case you have both) because all the encryption is decided according to routing table (vpnt interfaces in GAiA). For more information you always can follow the Official VPN Guide for your version.

Can you explain a little more about the context of IPSEC and IKE as excluded services??

Brianpiraty_Ale
Contributor
‎2018-04-25 11:53 AM
In response to KennyManrique

In the community ->excluded services - IPsec services (Ah,esp,ike,ike_nat_traversal,skip,vpn1_IPsec_ENCAPSULATION)  are excluded.

Gaurav_Pandya
Advisor
‎2018-04-26 04:44 AM

Hi,

Correct. Encryption domain is playing key role in any VPN Tunnel. Traffic which is taking part in VPN need to include in this domain and it must be match at the both end. Subnet mask information also should be same. 

0 Kudos
Brianpiraty_Ale
Contributor
‎2018-04-26 12:25 PM
In response to Gaurav_Pandya

even the encryption didn't match , phase 1 should come up right?even the encryption didn't match , phase 1 should come up right?

Gaurav_Pandya
Advisor
‎2018-04-27 04:53 AM
In response to Brianpiraty_Ale

Yes. If encryption domain is mismatch then you will get error at Phase 2, it will not be UP.

Phase 1 should be UP.

Brianpiraty_Ale
Contributor
‎2018-05-02 01:19 PM
In response to Gaurav_Pandya

1.do we need to check"accept all encrypted traffic on box from Encrypted traffic tab? what does it means.

0 Kudos
KennyManrique
Advisor
‎2018-05-02 01:51 PM
In response to Brianpiraty_Ale

According to Site to Site VPN Guide:

Regards.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-04-26 05:27 AM

Additional information and details for troubleshooting can be found in sk108600 VPN Site-to-Site with 3rd party and sk44852 How to configure a Site-to-Site VPN with a universal tunnel  

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Brianpiraty_Ale
Contributor
‎2018-04-26 12:25 PM
In response to G_W_Albrecht

even the encryption didn't match , phase 1 should come up right?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top