This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
khineminn
Participant
‎2024-05-20 02:43 AM

Multiple IPsec Tunnel Configuration - Checkpoint SMB

Hello Dears,

I would like to create two tunnels with peer sides and allow separate local encryption domain IPs for each tunnel as follows (I don't want to use the full subnet).

Tunnel 1 - Local ED 192.168.1.100 Remote ED 10.10.10.0/24
!
Tunnel 2 - Local ED 192.168.1.200 Remote ED 10.20.30.0/24

I think the configuration for Remote ED is okay and it's with dedicated VPN sites. However, for Local ED, I have no idea how to configure it and how to separate it for each tunnel.

0 Kudos
4 Replies
CaseyB
Advisor
‎2024-05-20 06:10 AM

As long as you are on R80.40+, you can use granular encryption domains to accomplish this task.

  • Local FW - Build a network group with the two local ED IP's defined as /32 subnets.
  • Remote FW - Build a network group with the two remote subnets.
  • Build a mesh / start VPN community and use the above created network groups as the granular encryption domains and leave it as subnet to subnet IKE exchange.
  • Create FW rules as needed.
0 Kudos
khineminn
Participant
‎2024-05-20 09:02 PM
In response to CaseyB

We are using Checkpoint Spark SMB 1800 with R81.10.10 and local management. Is there any configuration example to setup like multiple tunnels.

0 Kudos
CaseyB
Advisor
‎2024-05-21 06:30 AM
In response to khineminn

I am not familiar with local management configuration of the SMB devices. If I had a spare SMB gateway, I could probably mock something up real quick, but none of my current SMB devices run R81.10.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-21 07:57 AM

If this is locally managed, you're probably going to have to hack .def files to achieve the desired result, for example Option 1 in: https://support.checkpoint.com/results/sk/sk108600 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events