This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Brianpiraty_Ale
Contributor
‎2018-11-28 03:42 PM

IPsec tunnel required rules

1. for establishing IPsec tunnel  do we need to have a rule to allow IKE traffic between center gateway and peer gateway?

2. is the  "accept all encrypted traffic on "both center and satellite gateways need to be checked"  on Encrypted traffic?

0 Kudos
6 Replies
AlekseiShelepov
Advisor
‎2018-11-29 01:55 AM

You already asked similar questions here previously - IPsec tunnel encryption

Enable viewing on Implied rules in your Dashboard and see if the traffic for VPN tunnel would be accepted. Most probably you already have rule like this:

It is enabled by "Accept control connections" parameter in Global Properties. But it allows IKE communications only to this gateway itself, not to other gateways through it.

Enabling "accept all encrypted traffic" will allow all traffic trough this VPN tunnel, it has nothing to do with establishing tunnel. If you check it you will not be able to control what traffic from or to the peer is allowed.

See this comment: Site-to-Site VPN access restriction 

Brianpiraty_Ale
Contributor
‎2018-11-29 07:01 AM
In response to AlekseiShelepov

I don't checked the accept control connections on the global properties. I don't see a rule as mentioned by you on implied rules

But I see one look like below.

source                                                             destination                                                        VPN         services                                                    action

EncDomain.HubGws@VPNcommunity         Enc.domain.spokesGws@VPNcommunity         any        EncryptedSerivces@vpncommunity         encrypt &continue

0 Kudos
AlekseiShelepov
Advisor
‎2018-11-29 07:25 AM
In response to Brianpiraty_Ale

So, you have R80.X version.

As I understand, this type of rule is used to encrypt traffic between encryption domains of peers (inside VPN tunnel) only, but does not act as an access rule.

If you don't have implied rules enabled by "Accept control connections" in Global Properties, then you need to configure all management and control access manually, including traffic for establishing VPN tunnel.

Brianpiraty_Ale
Contributor
‎2018-11-29 11:39 AM
In response to AlekseiShelepov

VPN works fine. I see that tunnel established and the traffic encrypted between the encryption domain. But I don't have any explicit rule to allow IKE connections!

still I need to create a rule?

0 Kudos
AlekseiShelepov
Advisor
‎2018-11-29 01:10 PM
In response to Brianpiraty_Ale

If it works, why do you need to add rules then? I thought that you're trying to plan for a new VPN tunnel or to find out why it is not working.


Could you check in logs by which rule it is allowed? To your gateway, IKE traffic.

Do you really have all implicit rules disabled?

0 Kudos
Brianpiraty_Ale
Contributor
‎2018-11-30 01:38 PM
In response to AlekseiShelepov

in the log it says global security policy.

But I dnt really see any global rules on MDM

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top