This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
BC_AMD
Explorer
‎2022-05-26 10:28 AM

3rd Party Peer VPN Settings

Hello Checkmates community!  I am having some trouble getting a site-to-site VPN working and I hope that someone can confirm our approach and/or some settings for me. We have a case open with TAC but unfortunately it is difficult to get downtime to work this out so I hope someone here has some experience with a similar scenario.

We have a 3rd party peer VPN where we would like to tunnel all traffic back through our CheckPoint GW so that the devices behind the peer can reach internal destinations on our LAN as well as the Internet. Essentially they will be acting like a satellite office which should be simple enough.

The third party has set their remote encryption domain to be 0.0.0.0/0. On our side, however, attempting to use 0.0.0.0/0 as our local encryption domain has been problematic with another of our existing tunnels, and so we have reverted to 10.0.0.0/8 on our side, and at the moment our proposals won't match exactly.

checkmates.png

 

The questions I hope people here have the experience to answer are:

1) Is this scenario handled simply by changing the VPN routing to "to center or through the center to other satellites, to Internet and other VPN targets" (and controlling traffic via access policy) or do we need to accommodate the 0.0.0.0/0 vpn domain on our local side somehow?

2) do we need a group with exclusions locally when their side is part of the 10.0.0.0/8 space or is this handled smartly by the gateway since the remote encryption domain is defined?

3) TAC recommended going to one tunnel per gateway pair - along with the VPN routing setting this seems to make sense to keep the number of tunnels down - are their any other implications of doing this?

 

Thanks

Labels
0 Kudos
4 Replies
skandshus
Advisor
‎2022-05-26 11:56 AM

hmm on the remote site. i dont think you need to do a 0.0.0.0/0 in the "vpn domain"

you just need to make the tunnel work with "normal" subnets. and then just set a static route on the peer side with 0.0.0.0 and set next hop/step correctly? would be my bet..

 

 

dont think you need to "Put" the 0.0.0.0/0 subnet in the vpn domain/community..

BC_AMD
Explorer
‎2022-05-27 05:31 AM
In response to skandshus

Appreciate the reply!  We're not really in control of the other side but they are sending all traffic to us. 

If we leave our side defined as our LAN and use the VPN routing setting to allow routing to the Internet, you think that is sufficient in this case?

0 Kudos
the_rock
Legend
Legend
‎2022-05-27 06:53 AM
In response to BC_AMD

I never really tried this, but you could try set empty enc domain for interoperable object. Well, thats not true, I did it few times, but ONLY for route based VPNs. never domain based, so cant say if it would work, but worth a try.

0 Kudos
the_rock
Legend
Legend
‎2022-05-26 01:08 PM

I agree 100% with @skandshus 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events