This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alan_Camelo1
Contributor
‎2020-01-23 02:06 AM

Domain based VPN to ANY (0.0.0.0/0) R80.20 question

Hi All,

I am trying to create a VPN to a 3rd party using a backup Tunnel where possible using a destination of ANY on http/https. I only want this rule to be hit after other rules that will NOT route through the tunnel so it will be lower in the rule base. My questions are

1. Can I use a VPN to ANY 0.0.0.0 using Domain based VPN as I only want this rule to be hit after other rules have been satisfied.

2. When defining the local domain e.g 172.16.10.0/24 do I just add it to the Topology/VPN part? what if other subnets exist do they need to be added to the SA? 

3. Can I add a backup tunnel into the start community? if so what is the metric or mechanism that says primary is A secondary is B?

Thanks in advance

Al

0 Kudos
7 Replies
G_W_Albrecht
Legend Legend
Legend
‎2020-01-23 02:58 AM

Apart from CP R80.20 SitetoSite VPN AdminGuide you should look into:

sk44852: How to configure a Site-to-Site VPN with a universal tunnel

sk108600: VPN Site-to-Site with 3rd party

sk104760: ATRG: VPN Core

sk164355: VPN redundancy does not work when establishing an IPsec VPN Tunnel with a third-party peer

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Alan_Camelo1
Contributor
‎2020-01-23 03:22 AM
In response to G_W_Albrecht

Thanks for the quick reply, the setup in sk44852 seems more relevant but it implies that you want to send all Zeros as a local network, what I want is the remote defined as all Zero's 0.0.0.0/0.
"the local Check Point Security Gateway will send all 0's (zero's) for the network address and netmask for these networks:"
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2020-01-23 03:54 AM
In response to Alan_Camelo1

sk44852  is the solution, just read it more carefully:

Topology:

 

(internal network 10.2.2.0/24)-[Check Point Security Gateway]---{universal VPN tunnel}---(IP 172.16.5.10)-[Remote VPN Peer]-(internal network 192.168.4.0/24)

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Alan_Camelo1
Contributor
‎2020-01-23 05:26 AM
In response to G_W_Albrecht

Thank you, appreciate your help. Just to clarify this is for the remote encryption domain right? I have read it again and its still not very clear.
0 Kudos
Bob_Zimmerman
Authority
Authority
‎2020-01-24 06:14 AM
In response to G_W_Albrecht

From my reading, sk44852 is only about the negotiation. I hesitate to recommend user.def modifications in any circumstance because they're extremely easy to forget when upgrading a SmartCenter. In this case, a universal negotiation could be forced easily enough using the community.

I'm not sure a universal negotiation is the problem, though. There is no way to specify a rule is only valid when not using a VPN. All you can do is specify the rule isn't restricted to a particular VPN. I think a route-based VPN is the solution to that part of the requirements, and they negotiate universal tunnels as a side-effect of how they work. You still can't say a rule only works for traffic not using the VPN, but you can use the routing table to select whether the VPN or some other connection should be tried first.

0 Kudos
Alan_Camelo1
Contributor
‎2020-01-27 12:44 AM
In response to Bob_Zimmerman

Many thanks for all your help and comments, I will continue to research and if I find anything I'll let you know.

0 Kudos
Alan_Camelo1
Contributor
‎2020-02-27 01:17 AM
In response to Bob_Zimmerman

Hi All,

Many thanks for your comments, I managed to get a routed VPN up and running with a 3rd party vendor and all seems OK apart from some issues with getting to a host behind the vpn. I added a vti interface and attached to the remote end point defined then added a static route and all seems to be in place. However I have noticed the following route.

C 0.0.0.0/26 is directly connected, vpnt10(down)

when doing a vpn tu the p1 and p2 are up so all appears OK, can anyone please comment on the above route and why it mentions down? Also when I look at the vti interface counters they do increase when sending some test traffic.

Thanks in advance

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events