This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
olpmdER
Participant
Participant
‎2024-08-22 06:03 AM

Domain based VPN, route all traffic through VPN

Hello,

We currently have a VSX environment running on version R80.40, which does not support VTI.

Therefore, the only viable solution is to use Domain-based VPN.

Our network configuration is as follows:

Our Networks => CheckPoint Gateway => 3rd Party Gateway (PaloAlto) => Internet

We aim to establish an IPsec VPN between our CheckPoint Gateway and the 3rd Party Gateway, where the tunnel IPs use private addresses.

Our objective is to route all our networks traffic through this VPN to access the internet. 

this setup can be feasible?

We plan to implement a Star Community setup, using the third option in VPN routing, with the 3rd Party Gateway as the Center Gateway and our CheckPoint Gateway as the Satellite. However, on the CheckPoint Gateway, for the VPN domain on our side, we can define our networks, but on the other side, can we specify 0.0.0.0/0 as the VPN domain?  will this configuration work?

Thank you.

Labels
0 Kudos
10 Replies
the_rock
Legend
Legend
‎2024-08-22 07:53 AM

I know 2 customers who did it that way, worked fine, no issues. It was with Cisco and Fortigate, but I dont think that matters at all.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-08-22 07:56 AM

Also, I made below post few months back, see if it helps you. Here is IMPORTANT thing to remember...IF you will see UNNUMBERED vti's, which is fine, dont freak out if same IP pops up in topology as actual external IP, as thats totally normal, BUT, do make sure route poits to correct remote subnet and it uses that vti interface.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

0 Kudos
olpmdER
Participant
Participant
‎2024-08-22 08:05 AM
In response to the_rock

Thank you, Andy, for your response.

However, this isn't applicable to our implementation since we cannot use VTI. We currently have a VSX environment running on version R80.40, which does not support VTI. Therefore, the only option available to us is a Domain-based VPN.

0 Kudos
the_rock
Legend
Legend
‎2024-08-22 08:06 AM
In response to olpmdER

Right, I read that part, I was more just sending it for reference. Either way, works fine with domain based, thats what those 2 customers did actually.

Andy

0 Kudos
olpmdER
Participant
Participant
‎2024-08-26 07:02 AM
In response to the_rock

Thank you for providing the files; they will be very helpful for us.

We are currently facing a challenge related to encryption domains.
On our side (CheckPoint).
We need to configure our networks in the source domain
In the destination domain : 0.0.0.0/0 and excluding our networks to avoid overlaps.

Regarding the encryption domains from the 3rd Party Firewall:

  • Source domain: 0.0.0.0/0, excluding local addresses and CheckPoint networks
  • Destination: CheckPoint Networks

=> Our concern is that if we configure it this way, when the 3rd party firewall receives traffic from our side to the internet, will the firewall route it again through the VPN because of the 0.0.0.0/0 configuration in the source side domain?, or will it simply use its own default gateway to route the trafic comming from the VPN to internet.
Thank you.

0 Kudos
the_rock
Legend
Legend
‎2024-08-26 07:07 AM
In response to olpmdER

It all depends how route is configured, also if you are using VTI, numbered or unnumbered.

Andy

0 Kudos
olpmdER
Participant
Participant
‎2024-08-26 07:34 AM
In response to the_rock

We don't use VTI We use only, domain based VPN. 

0 Kudos
the_rock
Legend
Legend
‎2024-08-26 07:38 AM
In response to olpmdER

Sorry, silly me, keep forgetting. Then make sure regular routes are correct.

0 Kudos
olpmdER
Participant
Participant
‎2024-08-26 07:52 AM
In response to the_rock

Your help has been invaluable, So please, feel free to keep forgetting  😂
If the regular route works as expected, our traffic will not return to the VPN due to the 0.0.0.0/0 entry in the source domain of the third-party firewall. Instead, it will route directly to the internet, following the default gateway. Is that correct?

0 Kudos
the_rock
Legend
Legend
‎2024-08-26 08:20 AM
In response to olpmdER

No worries, we are all here to help mate.

Yes, that statement sounds right. So if regular route works as intended, then thats what it will take precedence. Otherwise, whatever is in the VPN domain would technically go through the tunnel. Makes sense?

Andy

I attached basic example my colleague made while back. I know its generic, but hope its useful.

Preview file
149 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events