Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
BC_AMD
Explorer

3rd Party Peer VPN Settings

Hello Checkmates community!  I am having some trouble getting a site-to-site VPN working and I hope that someone can confirm our approach and/or some settings for me. We have a case open with TAC but unfortunately it is difficult to get downtime to work this out so I hope someone here has some experience with a similar scenario.

We have a 3rd party peer VPN where we would like to tunnel all traffic back through our CheckPoint GW so that the devices behind the peer can reach internal destinations on our LAN as well as the Internet. Essentially they will be acting like a satellite office which should be simple enough.

The third party has set their remote encryption domain to be 0.0.0.0/0. On our side, however, attempting to use 0.0.0.0/0 as our local encryption domain has been problematic with another of our existing tunnels, and so we have reverted to 10.0.0.0/8 on our side, and at the moment our proposals won't match exactly.

checkmates.png

 

The questions I hope people here have the experience to answer are:

1) Is this scenario handled simply by changing the VPN routing to "to center or through the center to other satellites, to Internet and other VPN targets" (and controlling traffic via access policy) or do we need to accommodate the 0.0.0.0/0 vpn domain on our local side somehow?

2) do we need a group with exclusions locally when their side is part of the 10.0.0.0/8 space or is this handled smartly by the gateway since the remote encryption domain is defined?

3) TAC recommended going to one tunnel per gateway pair - along with the VPN routing setting this seems to make sense to keep the number of tunnels down - are their any other implications of doing this?

 

Thanks

0 Kudos
4 Replies
skandshus
Collaborator

hmm on the remote site. i dont think you need to do a 0.0.0.0/0 in the "vpn domain"

you just need to make the tunnel work with "normal" subnets. and then just set a static route on the peer side with 0.0.0.0 and set next hop/step correctly? would be my bet..

 

 

dont think you need to "Put" the 0.0.0.0/0 subnet in the vpn domain/community..

BC_AMD
Explorer

Appreciate the reply!  We're not really in control of the other side but they are sending all traffic to us. 

If we leave our side defined as our LAN and use the VPN routing setting to allow routing to the Internet, you think that is sufficient in this case?

0 Kudos
the_rock
Champion
Champion

I never really tried this, but you could try set empty enc domain for interoperable object. Well, thats not true, I did it few times, but ONLY for route based VPNs. never domain based, so cant say if it would work, but worth a try.

0 Kudos
the_rock
Champion
Champion

I agree 100% with @skandshus 

0 Kudos