This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
lbcadenco10
Contributor
‎2019-11-25 02:09 PM

S2S VPN & Overlapping Encryption Domains

We have two Checkpoint appliances - one at site A and one at site B. Both sites have their own local ISP connection in addition to a P2P circuit interconnecting the two sites. The P2P link is provided via the downstream Core switches and provides redundancy to route site A's traffic out site B's ISP and vice versa in the event an ISP goes down at a single site. The core switches use OSPF to share routes between the sites.

Site B is new and for the longest time we had all of our VPNs to 3rd party vendors terminate at Site A. Now that we need to build a new VPN to a 3rd party vendor, we must ensure both Site A and Site B have their own VPN to the vendor and ensure that Site A can route across to the P2P and out Site B's VPN in the event of a failure at Site A and vice verse. Furthermore, Site A's traffic to the vendor will be SNATd behind 10.220.0.0/25 and Site B's traffic to the vendor will be SNATd behind 10.220.1.0/25 so traffic from the vendor to us will only have one path regardless of which site our traffic comes from.

  • Since the local encryption domain (10.220.0.0/25, 192.168.101.0/24, 192.168.105.0/24, 10.220.1.0/25, 10.1.101.0/24 and 10.1.105.0/24) and remote encryption domain (192.30.110.0/28 & 208.229.189.80/28) for both sites will be the same, is this a supported config?
  • I was envisioning using two star communities - SiteA-Vendor and SiteB-Vendor unless there is a better way to handle this scenario.
  • SK106837 indicates that a full overlap is supported, however, does this apply to a single gateway or multiple gateways?
  • Is an overlap in encryption domains only applicable to a single gateway across multiple VPN communities (i.e my scenario is supported)?

Coming from a background of primarily route based VPNs, this would be a fairly easy configuration with no consideration to overlaps. We're currently using domain based VPNs but I'm thinking the best path forward would be using routed based VPNs and migrating all domain based VPNs to routed based.

I've attached a network diagram to outline my topology.

 

Preview file
228 KB
0 Kudos
1 Reply
Jerry
Leader
Leader
‎2019-11-25 02:42 PM

$FWDIR/conf/vpn_route.conf

search for sk for it here, was mentioned like few months ago I believe...
Jerry
0 Kudos