This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
lbcadenco10
Contributor
‎2019-11-25 02:09 PM

S2S VPN & Overlapping Encryption Domains

We have two Checkpoint appliances - one at site A and one at site B. Both sites have their own local ISP connection in addition to a P2P circuit interconnecting the two sites. The P2P link is provided via the downstream Core switches and provides redundancy to route site A's traffic out site B's ISP and vice versa in the event an ISP goes down at a single site. The core switches use OSPF to share routes between the sites.

Site B is new and for the longest time we had all of our VPNs to 3rd party vendors terminate at Site A. Now that we need to build a new VPN to a 3rd party vendor, we must ensure both Site A and Site B have their own VPN to the vendor and ensure that Site A can route across to the P2P and out Site B's VPN in the event of a failure at Site A and vice verse. Furthermore, Site A's traffic to the vendor will be SNATd behind 10.220.0.0/25 and Site B's traffic to the vendor will be SNATd behind 10.220.1.0/25 so traffic from the vendor to us will only have one path regardless of which site our traffic comes from.

  • Since the local encryption domain (10.220.0.0/25, 192.168.101.0/24, 192.168.105.0/24, 10.220.1.0/25, 10.1.101.0/24 and 10.1.105.0/24) and remote encryption domain (192.30.110.0/28 & 208.229.189.80/28) for both sites will be the same, is this a supported config?
  • I was envisioning using two star communities - SiteA-Vendor and SiteB-Vendor unless there is a better way to handle this scenario.
  • SK106837 indicates that a full overlap is supported, however, does this apply to a single gateway or multiple gateways?
  • Is an overlap in encryption domains only applicable to a single gateway across multiple VPN communities (i.e my scenario is supported)?

Coming from a background of primarily route based VPNs, this would be a fairly easy configuration with no consideration to overlaps. We're currently using domain based VPNs but I'm thinking the best path forward would be using routed based VPNs and migrating all domain based VPNs to routed based.

I've attached a network diagram to outline my topology.

 

Preview file
228 KB
0 Kudos
1 Reply
Jerry
Leader
Leader
‎2019-11-25 02:42 PM

$FWDIR/conf/vpn_route.conf

search for sk for it here, was mentioned like few months ago I believe...
Jerry
0 Kudos