- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello Checkmates community! I am having some trouble getting a site-to-site VPN working and I hope that someone can confirm our approach and/or some settings for me. We have a case open with TAC but unfortunately it is difficult to get downtime to work this out so I hope someone here has some experience with a similar scenario.
We have a 3rd party peer VPN where we would like to tunnel all traffic back through our CheckPoint GW so that the devices behind the peer can reach internal destinations on our LAN as well as the Internet. Essentially they will be acting like a satellite office which should be simple enough.
The third party has set their remote encryption domain to be 0.0.0.0/0. On our side, however, attempting to use 0.0.0.0/0 as our local encryption domain has been problematic with another of our existing tunnels, and so we have reverted to 10.0.0.0/8 on our side, and at the moment our proposals won't match exactly.
The questions I hope people here have the experience to answer are:
1) Is this scenario handled simply by changing the VPN routing to "to center or through the center to other satellites, to Internet and other VPN targets" (and controlling traffic via access policy) or do we need to accommodate the 0.0.0.0/0 vpn domain on our local side somehow?
2) do we need a group with exclusions locally when their side is part of the 10.0.0.0/8 space or is this handled smartly by the gateway since the remote encryption domain is defined?
3) TAC recommended going to one tunnel per gateway pair - along with the VPN routing setting this seems to make sense to keep the number of tunnels down - are their any other implications of doing this?
Thanks
hmm on the remote site. i dont think you need to do a 0.0.0.0/0 in the "vpn domain"
you just need to make the tunnel work with "normal" subnets. and then just set a static route on the peer side with 0.0.0.0 and set next hop/step correctly? would be my bet..
dont think you need to "Put" the 0.0.0.0/0 subnet in the vpn domain/community..
Appreciate the reply! We're not really in control of the other side but they are sending all traffic to us.
If we leave our side defined as our LAN and use the VPN routing setting to allow routing to the Internet, you think that is sufficient in this case?
I never really tried this, but you could try set empty enc domain for interoperable object. Well, thats not true, I did it few times, but ONLY for route based VPNs. never domain based, so cant say if it would work, but worth a try.
I agree 100% with @skandshus
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY