This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
VictorPG
Participant
‎2019-09-18 05:12 PM

Question about overlapping vpn domain same management

Hello Everybody,

 

I have a little question that has been bothering me for  while. Let's say that I  have management with a VSX with 2 Virtual Systems (VS_A and VS_B) . The VS_A has a VPN site to site with peerA that has the network 172.16.20.0/24(remote domain) and now I want to create a site to site with VS_B with peerB (a total different site that peerA) that has as remote domain 172.16.20.1, 172.16.20.2 (and maybe also the whole 172.16.20.0/24).

Would this cause overlapping even though are different Firewalls?

If that is the case, is there a way to solve this? (maybe having a multidomain with different CMAs for each VS for example)

 

Thanks in advance

0 Kudos
10 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-09-19 12:39 AM

You can resolve this issue, but: You are forced to do a manual routing, and this will get more and more complicated as new sites are added to the VPN community. See sk31021:

Common VPN routing scenarios can be configured using a VPN star community, but not all VPN routing configuration is handled through SmartDashboard.

VPN routing between Security Gateways (star or mesh) can also be configured by editing the configuration file: $FWDIR/conf/vpn_route.conf.

For information on Route Based VPN, refer to the Route Based VPN section in the R80.10 VPN Site to Site Administration Guide

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
VictorPG
Participant
‎2019-09-19 04:32 AM
In response to G_W_Albrecht

Thank you for the answer. So, according to what you mentioned,  there will be indeed overlapping even if the firewalls are different but are managed by the same Smartcenter.  As you said, It looks that using vpn routing will cause this to  get more difficult to manage with time so I was thinking, if I use a multidomain with different CMA for each Virtual System, I wouldn't this "limitation" (the overlapping in this case), right?

 

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-09-19 04:55 AM
In response to VictorPG

You are missing the problem here - not the same SMS is an issue, but the CP Domain Based VPN ! An Encryption Domain can not contain duplicate subnets or routing will not work. So the solution is not MultiDomain, but no duplicate subnets at all for Domain VPN or no Domain VPN but PBR... 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
VictorPG
Participant
‎2019-09-19 04:59 AM
In response to G_W_Albrecht

Got it!, I'll keep this in mind. Thank you so much!

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-09-19 05:07 AM
In response to VictorPG

More information can be found in CP R80.30 Site to Site VPN AdminGuide, chapter Domain Based VPN p.74f and Route Based VPN p.79f !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
lbcadenco10
Contributor
‎2020-01-21 03:57 PM
In response to G_W_Albrecht

Hi @G_W_Albrecht,

 

I'm a bit confused here as I have a similar, albeit slightly different, scenario I'm looking for assistance with. In my scenario, peerA and peerB will both have VPNs to peerC. So the remote encryption domain does not span multiple peers, however, the local encryption domain on peerA and peerB will contain overlapping subnets. Is this still not supported?

If possible, can you provide assistance in the linked forum post?

0 Kudos
FedericoMeiners
Advisor
‎2020-01-21 04:45 PM
In response to lbcadenco10

MEP (Multiple entry point) VPN may solve your use case

Multiple Entry Point (MEP) VPNs 

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
FedericoMeiners
Advisor
‎2019-09-19 05:45 AM

@VictorPG 

I think that we have to divide the question in two parts: Overlapping encryption domains and routing.

VSX is a great way to overcome overlapping of DEs since each VS will have their own VPN Encryption domain and their own VPN tunnels. You can create specific groups for each one with the relevant networks, of course this will depend on your VSX architecture.

The routing issue is how the packet reach the correct VS, after that it will be solved.

Hope it helps!

Federico Meiners

 

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
VictorPG
Participant
‎2019-09-19 06:08 AM
In response to FedericoMeiners

But when you say "each VS will have their own VPN Encryption domain and their own VPN tunnels", does this mean only local domain or also remote domain for the peers? if each VS has a vpn with different peers, and in this case the remote domain in the peers is the same (peerA for VS_A and peerB for VS_B), would this cause overlapping between peers (even if the vpns tunnels are for different Virtual Sysmts)?
0 Kudos
FedericoMeiners
Advisor
‎2019-09-19 06:31 AM
In response to VictorPG

@VictorPG It will not cause overlap since peers are associated with a specific S2S VPN, you can have different peers with the same remote encryption domain as long as they are not in the same VS.

What a peer encryption domain does is injecting routes to the routing table so your firewall knows that that IP is reachable via that peer. If you have two peers with the same Remote DE in the same firewall (VS or not) then you will have overlapping routes.

 

 

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top