This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Cypress
Contributor
‎2024-04-26 01:19 PM
Jump to solution

Encryption Domain and co-existing Domain Based and Route Based VPNs

I know sk109340 addresses this exact issue, but I am still a little confused about the topic after reading it.  The use of Empty Group Object in encryption domain is an confusing matter to me.  This is the scenario I'm facing.

I have a pair of Cloudguard HA Cluster virtual gateways, and they have a couple Route Based site-to-site VPNs set up, with Virtual Tunnel Interfaces (VTIs.)

An Empty Group Object is created in the policy and that same Empty Group Object is being used as the Encryption Domain on both the Interoperable Device remote gateways, and the on the local Gateways.  Everything is working with this configuration.

Now I have to set up a new VPN on this Cluster, to a different peer, that will be a Domain Based VPN (from what I understand, this basically just means a VPN without Virtual Tunnel Interfaces, and without the "Internal Clear" stuff in the policy rule.)

 

I believe what has to be done is removing the Empty Group Object from Encryption Domain of the local gateway, putting a new Group Object in as the Encryption Domain with the endpoints the new Domain Based VPN peer will be reaching to, and leaving the Encryption Domain of the Existing Route Based VPN Interoperable Objects as the Empty Group Objects.

My biggest concern is provisioning this new VPN without causing the existing ones to stop passing traffic.  I don't like the possible scenario where after installing policy, the existing VPNs may start getting "according to policy we shouldn't decrypt the traffic" since I changed that local Encryption Domain to not be an Empty Group Object any more.

My lack of understanding about using an Empty Group in Encryption Domain is causing some doubt.  Is there a good resource that explains why Empty Group is used in Check Point and what the difference is between using an Empty Group or a non empty one for Encryption Domains?

0 Kudos
1 Solution

Accepted Solutions
Lesley
MVP Gold
MVP Gold
‎2024-04-26 02:55 PM
Jump to solution

Is it not better to make one VPN community that will be domain based and use user defined encryption groups on both sides?

Just define the encryption domains in the community itself in that way you can leave the empty group

-------
Please press "Accept as Solution" if my post solved it 🙂

View solution in original post

(1)
7 Replies
the_rock
MVP Platinum
MVP Platinum
‎2024-04-26 02:14 PM
Jump to solution

I think if you read what @Bob_Zimmerman said in this post, it will make lots of sense.

Best,

Andy

Btw, personally, I ALWAYS put empty groups for both enc domains for route based tunnels, NEVER had an issue 🙂

 

https://community.checkpoint.com/t5/Security-Gateways/Unnumbered-VTI-to-3rd-party-gateway/m-p/137319...

Best,
Andy
(1)
Lesley
MVP Gold
MVP Gold
‎2024-04-26 02:55 PM
Jump to solution

Is it not better to make one VPN community that will be domain based and use user defined encryption groups on both sides?

Just define the encryption domains in the community itself in that way you can leave the empty group

-------
Please press "Accept as Solution" if my post solved it 🙂
(1)
the_rock
MVP Platinum
MVP Platinum
‎2024-04-26 05:26 PM
In response to Lesley
Jump to solution

That would work, for sure.

Andy

Best,
Andy
0 Kudos
Cypress
Contributor
‎2024-04-29 08:30 AM
In response to Lesley
Jump to solution

Thank you, this worked great.. I did not know per-community domains was an option.  Very useful.

the_rock
MVP Platinum
MVP Platinum
‎2024-04-29 08:33 AM
In response to Cypress
Jump to solution

Screenshot_1.png

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-04-27 06:32 AM
Jump to solution

Leave the empty group defined as the VPN domain on your gateway object and the objects representing your route-based peers.

However on the Participating Gateways screen of the VPN Community object for your domain-based VPN, override the VPN Domain definition for your gateway and the object representing your domain-based peer.  Try to make these defined VPN Domain overrides as specific as you can; they should exactly match whatever rules you have permitting the traffic to/from that tunnel.  This will minimize the chance of disrupting your existing route-based VPNs.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
(1)
Cypress
Contributor
‎2024-04-29 08:30 AM
In response to Timothy_Hall
Jump to solution

This is what we ended up doing, thank you.  per-community domain configuration.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events