Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Reyman2021
Participant

Route Based VPN with Domain Based VPN

I just want to ask if this setup is feasible:

- Currently my firewall has a VPN tunnel with Route based VPN setup (dynamic routing) to a 3rd party checkpoint firewall. Basically my VPN domain is empty as this is a requirement for route based vpn setup.

- Now I have a new different 3rd party site which is the setup plan is the traditional domain based VPN which will require us to defined a network on my VPN domain (not empty). By this, I am not able to defined a network as it was used by the route based vpn for dynamic routing on my other VPN tunnel

My question is if this new domain based vpn will still work even if my vpn domain defined is empty?

Kindly note that current version is R80.20 only. Therefore, we don't have separate vpn domain per community.

0 Kudos
Reply
6 Replies
Timothy_Hall
Champion
Champion

Basically my VPN domain is empty as this is a requirement for route based vpn setup.

This is not completely accurate but is recommended to avoid confusion.  My understanding of how the Check Point firewall determines whether traffic should be encrypted into a VPN (also referred to as "interesting traffic" in the Cisco world) happens in this order:

0) First off, the traffic must be accepted by the security policy.

1) Between inspection points i and I prior to routing, if the packet's source IP falls into our firewall's defined VPN domain AND (not or) the destination IP falls inside the defined VPN domain of a VPN peer, the traffic will be encrypted regardless of what route-based VPN determines.

2) If the IP route matching this packet leads to a VPN Tunnel Interface (VTI), the traffic will be encrypted.  If the route leads to a regular physical/logical interface the traffic will not be encrypted.

The reason why it is frequently recommended to define an empty VPN domain for your firewall with route-based VPNs in use is to avoid a situation in #1 where the domains force encryption first but routing does not.  If the domains determine that traffic needs to be encrypted, it will be encrypted no matter what routing says, full stop.  If the domains do not match for encryption, route-based VPN still has the opportunity to either encrypt or forward in the clear based on routing.

So you can mix domain-based and route-based VPNs on your firewall with a non-empty VPN domain defined for your firewall, just keep in mind that if domain-based VPN specifies encryption it will trump whatever route-based VPN specifies.  So if you are going to do this mix you will need to have an empty VPN domain defined for the *peer* VPN objects for which you want to use route-based VPN, to ensure that domain-based VPN does not improperly override what you want to do with that route-based VPN peer.

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Reply
Reyman2021
Participant

Hi Timothy,

Thank you for your response. I get this one. I have attached the topology diagram (current setup and the setup with the new 3rd party vpn s2s) to be more clear. Please check if this will be still feasible. 

Thank,

David UrbinaCurrent Setup.pngCurrent Setup with the new Domain based 3rd party.png

0 Kudos
Reply
Bob_Zimmerman
Advisor

I’m pretty sure the VPN domain checks are actually earlier than the firewall policy decision, around when antispoofing checks are performed. The rest is mostly correct, but domain-based config actively conflicts with route-based config. Most notably it will lead to “according to the policy, the packet should not have been decrypted” and “received cleartext packet within an encrypted connection” drops. Just leave the peer’s encryption domain empty, and you’re set. I have firsthand experience running a set of VPNs this way.

0 Kudos
Reply
PhoneBoy
Admin
Admin

0 Kudos
Reply
Reyman2021
Participant

Hi,

Yes I have checked this one already but in my case the VPN domain of route based peer and domain based peer is different. Therefore we could say that this is feasible?

0 Kudos
Reply
PhoneBoy
Admin
Admin

Would seem that way to me.

0 Kudos
Reply