Hi Everyone,
I have some questions on Encryption Domains. We often run into problems setting up site to site VPNs, and the solution usually revolves around the encryption domain we have setup for our gateways. What is supposed to be in the encryption domain that is set for the gateway? Is that supposed to be our network ip address that other site to site VPNs need to access or should it be ip addresses of resources we need to access on the non local side (other company\partner\etc) of the VPN.
For example, lets say we have the following networks that have resources our partners need to access all defined in the group
Group_Our_Resources:
192.168.1.0/24, 192.168.2.0/24, 10.245.0.0/16, 10.30.22.0/24.
Our partners will be coming over the site to site VPN from the following ip ranges, which I'll show as groups
Group_Partner_one_incoming
10.203.5.0/24
Group_Partner_two_incoming
10.205.8.0/24
And our partners have the following networks with information we need to access defined by the below groups:
Group_Partner_1_resources:
10.127.2.0/24
Group_Partner_2_resources:
172.28.5.0/24
Group_Partner_3_resources:
192.168.57.0/24
Our encryption domain defined in the gateway under Network Management\VPN Domain\Manually defined is a group called:
Group_Our_Encryption_Domain
What should be in Group_Our_Encryption_Domain? Is it the group that contains the resources our partners need to access? Is it the groups that contain the resources located at our partners that we need to access? Is it both?
I am pretty sure that the encryption domain defined for the interoperable Devices under Topology\VPN domain would be group that contains the networks that our partners will be coming from (ie Group_Partner_one_incoming for Partner 1's interoperable Device, Group_Partner_two_incoming for Partner 2's interoperable Device, etc.)
To add to the mix, if we have a remote access VPN, can we set a separate Encryption domain and would that encryption domain be all the resources we want available over the remote access VPN? I assume that is possible as there is a set domain for remote access community button in the gateway under Network Management\VPN Domain\
Currently our Group_Our_Encryption_Domain contains every network we have. This is most likely a by-product of the gateways getting updated from previous devices, and the config just imported in to make sure everything still works. Add to the mix that there is a second cluster of firewalls in another location that has the same Group_Our_Encryption domain defined so that in the event our internet link in our primary datacenter goes down, we can change DNS to point to the internet link in the secondary datacenter and all our VPNs still work. The two checkpoint clusters are managed by the same Checkpoint security management server.
Our current version is R80.20 JHF 188.
Hopefully this isn't too confusing.
Thanks,
Jeff