This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Reyman2021
Participant
‎2021-01-16 05:14 AM

Route Based VPN with Domain Based VPN

I just want to ask if this setup is feasible:

- Currently my firewall has a VPN tunnel with Route based VPN setup (dynamic routing) to a 3rd party checkpoint firewall. Basically my VPN domain is empty as this is a requirement for route based vpn setup.

- Now I have a new different 3rd party site which is the setup plan is the traditional domain based VPN which will require us to defined a network on my VPN domain (not empty). By this, I am not able to defined a network as it was used by the route based vpn for dynamic routing on my other VPN tunnel

My question is if this new domain based vpn will still work even if my vpn domain defined is empty?

Kindly note that current version is R80.20 only. Therefore, we don't have separate vpn domain per community.

0 Kudos
6 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-01-16 07:00 AM

Basically my VPN domain is empty as this is a requirement for route based vpn setup.

This is not completely accurate but is recommended to avoid confusion.  My understanding of how the Check Point firewall determines whether traffic should be encrypted into a VPN (also referred to as "interesting traffic" in the Cisco world) happens in this order:

0) First off, the traffic must be accepted by the security policy.

1) Between inspection points i and I prior to routing, if the packet's source IP falls into our firewall's defined VPN domain AND (not or) the destination IP falls inside the defined VPN domain of a VPN peer, the traffic will be encrypted regardless of what route-based VPN determines.

2) If the IP route matching this packet leads to a VPN Tunnel Interface (VTI), the traffic will be encrypted.  If the route leads to a regular physical/logical interface the traffic will not be encrypted.

The reason why it is frequently recommended to define an empty VPN domain for your firewall with route-based VPNs in use is to avoid a situation in #1 where the domains force encryption first but routing does not.  If the domains determine that traffic needs to be encrypted, it will be encrypted no matter what routing says, full stop.  If the domains do not match for encryption, route-based VPN still has the opportunity to either encrypt or forward in the clear based on routing.

So you can mix domain-based and route-based VPNs on your firewall with a non-empty VPN domain defined for your firewall, just keep in mind that if domain-based VPN specifies encryption it will trump whatever route-based VPN specifies.  So if you are going to do this mix you will need to have an empty VPN domain defined for the *peer* VPN objects for which you want to use route-based VPN, to ensure that domain-based VPN does not improperly override what you want to do with that route-based VPN peer.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Reyman2021
Participant
‎2021-01-16 09:34 PM
In response to Timothy_Hall

Hi Timothy,

Thank you for your response. I get this one. I have attached the topology diagram (current setup and the setup with the new 3rd party vpn s2s) to be more clear. Please check if this will be still feasible. 

Thank,

David UrbinaCurrent Setup.pngCurrent Setup with the new Domain based 3rd party.png

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2021-01-17 08:58 PM
In response to Timothy_Hall

I’m pretty sure the VPN domain checks are actually earlier than the firewall policy decision, around when antispoofing checks are performed. The rest is mostly correct, but domain-based config actively conflicts with route-based config. Most notably it will lead to “according to the policy, the packet should not have been decrypted” and “received cleartext packet within an encrypted connection” drops. Just leave the peer’s encryption domain empty, and you’re set. I have firsthand experience running a set of VPNs this way.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-17 08:44 PM

We do have an SK that discusses this scenario, FYI: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Reyman2021
Participant
‎2021-01-17 09:31 PM
In response to PhoneBoy

Hi,

Yes I have checked this one already but in my case the VPN domain of route based peer and domain based peer is different. Therefore we could say that this is feasible?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-01-19 07:26 PM
In response to Reyman2021

Would seem that way to me.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events