Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RS_Daniel
Collaborator

Empty Encryption Domain

Hello CheckMates,

I am facing some doubts with s2s vpn's, hoping you can help. Escenario:

  • Cluster A, 3200 appliances R80.40 JHA Take 94 centrally managed.
  • Cluster B, 5400 appliances R80.40 JHA Take 94 centrally managed (same management).
  • Many remote SMB 1430 appliances R77.20.87 locally manged.

Cluster A has a s2s vpn with every SMB gateway, all 1430 gateways has the option "Route all traffic through this site" so branches use the vpn to access internal resources and Internet. In this case, cluster A has an empty encryption domain, and the community is configured to "one tunnel per gateway pair". With this configuration the traffic is working ok, traffic is correctly encrypted/decrypted in both ways.

Now we are trying to replicate the scenario with Cluster B and new branches with SMB 1430 too. the difference is that Cluster B has a encryption domain populated with many objects. We tried to use EDPC (encryption domain per community) and used an empty group object for that specific community. The vpn is up and cluster B can ping to the branch, the problem is that traffic originated from networks behind cluster B is not encrypted. We checked the remote encryption domain is not included in any other community/ED. We are not using VTI's in any vpn, only domain based.

So the doubts are: Is it supported to work with empty encryption domains in domain based s2s vpn's? if so, is it also supported using EDPC? Any idea/recommendation to face the scenario with cluster B? Thanks in advance.

 

Regards

 

5 Replies
PhoneBoy
Admin
Admin

The Encryption Domain determines what traffic needs to be encrypted for Domain-based VPNs.
When only Route-based VPNs are used, an empty encryption domain is used.
When both are used in the same gateway (which is supported), you will need a non-empty Encryption Domain and the Domain-Based VPN will take priority.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

RS_Daniel
Collaborator

Hello Phoneboy, 

Thanks for the answer. I am aware of that sk, and have read the admin guides too. I know the traffic should be defined into encryption domains to be encrypted/decrypted, but as i described previously, in the tunnel with cluser A, our encryption domain is empty, and it is working ok. That is the question, is this scenario supported?

In case it is supported, cluster B is having a wrong behavior and have aproblem that should be checked.

In case it is not supported, the wrong behavior is in cluster A.

So in both scenarios (supported/not supported) something is not working as it should. 

Do you know if this scenario is supported?

 

Regards

PhoneBoy
Admin
Admin

Pretty sure using an empty encryption domain with a Domain-based VPN only is not supported.
If you tried to initiate a connection from behind Cluster A to something behind one of the SMB gateways, it would probably fail.
I'm guessing the fact the SMB gateways are initiating the connections and thus having something in the state tables is enough to make it work, at least in one direction.

0 Kudos
Timothy_Hall
Champion
Champion

You might still be able to utilize domain-based VPNs with empty VPN domains by setting the subnet_for_range_and_peer directive as specified in Scenario 1 here, as I think this directive ignores the VPN domains and does whatever you tell it to: sk108600: VPN Site-to-Site with 3rd party

While I have used that directive many times, I don't recall ever using it when the specified subnets do not appear in the VPN domains at all, or with an empty VPN domain, so the directive might not work as expected in that scenario.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
the_rock
Authority
Authority

I think you got pretty valid responses, but I will share my own experience. I recall customer once used empty group as enc domain on CP cluster for route based VPN and somehow, tunnel did come up, but there was lots of traffic issues. Once we changed it to actual subnet as enc domain, all worked fine (now, this was all actual route based vpn setup, VTI and all). I tend to agree with phoneboy that officially using empty vpn domain for domain based vpn is not supported, but I seen customer use it once and they told me TAC never confirmed to them that it was not officially not supported, so really hard to say for sure. As I said, I am pretty confident if you do that, vpn tunnel will come up, but Im not clear as to what will advertise in that case (maybe everything??)

0 Kudos