This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dphonovation
Collaborator
‎2022-12-12 07:09 AM
Jump to solution

RemoteAccess community behind 2 ClusterXLs with same VLAN behind them

I have 2 ClusterXL sites in 2 separate data centers, managed by the same management server.

The VPN client auto configures itself with a drop down for either site and secondary connect even works for non-overlapping addresses.

However, I have VLANs that are Stretched/shared between both sites. SmartConsole allows me to add this network to both sites encryption domains in the RemoteAccess community but warns me about overlap when installing policy.

What is the best way to ensure if ClusterXL Site1 goes down, I can still access the stretched VLAN by simply selecting the 2nd site from the VPN client?

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
MVP Gold
MVP Gold
‎2022-12-12 11:12 AM
Jump to solution

@dphonovation Scenario 1 and 5 describes your issue:

Troubleshooting Overlapping Encryption Domains Issues 

For RemoreAccess VPN, partially overlapping encryption domains are not supported. You have to use MEP (MultipleEntryPoints) or secondary connect, both have different requirements.

 

View solution in original post

0 Kudos
3 Replies
Wolfgang
MVP Gold
MVP Gold
‎2022-12-12 11:12 AM
Jump to solution

@dphonovation Scenario 1 and 5 describes your issue:

Troubleshooting Overlapping Encryption Domains Issues 

For RemoreAccess VPN, partially overlapping encryption domains are not supported. You have to use MEP (MultipleEntryPoints) or secondary connect, both have different requirements.

 

0 Kudos
dphonovation
Collaborator
‎2022-12-13 02:10 AM
In response to Wolfgang
Jump to solution

Interesting. Thanks.

I don't see all the tunnel/MEP management options for the pre-built "RemoteAccess" community so it seems that based on this statement:


Officially, MEP is only supported when the Security Gateways have completely overlapping Remote Access encryption domains, and Secondary Connect is only supported when the Security Gateways have completely separate Remote Access encryption domains, with no overlap at all.

When there are "partially overlapping encryption" domains, the configuration does not fully fit the MEP, and also the Secondary Connect Encryption domain requirements. Therefore, this warning message pops-up in order to warn the administrator that it might affect the use of these features.

To prevent this error message and not to affect the MEP and Secondary Connect features, avoid configuring partial encryption domains inside the Remote Access community.


... all I would need to do is ensure both gateways have the exact same encryption domains?

This would be OK except they both have a unique VLAN on each side as well. I suppose mixing the two is whats not supported.

0 Kudos
dphonovation
Collaborator
‎2022-12-13 03:15 AM
In response to dphonovation
Jump to solution

Just reading this:

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_RemoteAccessVPN_AdminGuide/T...

 

Following the primary/backup scenario

 

 

To configure the backup Security Gateway settings:

Click Gateways & Servers and double-click the primary Security Gateway.

The Security Gateway Properties window opens and shows the General Properties page.

From the navigation tree, click IPsec VPN.

Click Use BackupGateways.

From the drop-down menu, select the backup Security Gateway.

Determine if the backup Security Gateway uses its own VPN domain.

To configure the backup Security Gateway that DOES have a VPN domain of its own:

Make sure that the IP address of the backup Security Gateway is not included in the VPN domain of the primary Security Gateway.

For each backup Security Gateway, define a VPN domain that does not overlap with the VPN domain of the other backup gateways.

 

 

So I'm a bit confused. The sk says the RemoteAccess community must be the same.

But this documentation seems to imply the backup can indeed have its own domain.

So what do I setup in the RemoteAccess community for each cluster's VPN domain? The same encryption domain on both? Or a group that has both the shared encryption domain + the unique network on each side - for each member?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events