Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Moudar
Advisor

S2S VPN & Vlans

Hi

Is there any guide that shows how to do subnet advertisement over the S2S tunnel (2 checkpoint appliances)

 

We have got about 5 different VLANS that needs to be advertised from the main office to the branch office.

 

Any ideas!

0 Kudos
14 Replies
G_W_Albrecht
Legend Legend
Legend

Why do you need that ? Usually you include all subnets in VPN Encryption Domains for each peer.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Moudar
Advisor

Clarification on VLAN Tagging and Configuration:

We defined the allowed networks for the VPN tunnel. However, I'm unsure how VLAN tagging would work in this scenario.

 
 

Ideally, I'd like to find a comprehensive guide that outlines the configuration process for both the Check Point firewall at the main office and the Check Point firewall in the branch office. This guide should specifically address:

  • VLAN Tagging Configuration: How to configure VLAN tagging on both the firewall and switch to ensure proper segregation and routing of VLAN traffic from the main office to the branch office through the VPN tunnel.
  • Visibility and Functionality: How to ensure that VLANs from the main office appear and function seamlessly on the switch connected to the Check Point firewall in the branch office.

By following a detailed guide that addresses these aspects, I can confidently configure the VPN tunnel and achieve the desired functionality for VLAN traffic across both locations.

Additionally:

  • If there are any best practices or security considerations regarding VLAN tagging in this setup, I would appreciate any insights you can provide.
0 Kudos
G_W_Albrecht
Legend Legend
Legend

On CP side you only need to consider R81.10 Gaia Administration Guide - VLAN Interfaces. Switches are configured according to their specs. It should work transparently over VPN if the Encryption Domains are defined correctly.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Moudar
Advisor

Maybe this needs to be considered?

f you configure the switch ports as VLAN trunk, the Check Point Bridge interface should not interfere with the VLANs.

To configure a Bridge interface with VLAN trunk, create the Bridge interface with two physical (non-VLAN) interfaces as its subordinate interfaces (see Bridge Interfaces).

The Security Gateway processes the tagged packet and does not remove VLAN tags from them.

The traffic passes with the original VLAN tag to its destination.

0 Kudos
the_rock
Legend
Legend

Just follow link Guenther gave. I am not aware of any specific document/acticle that talks about something like this through the vpn tunnel.

Andy

mccabe
Employee
Employee

Just adding in my 2p on this one if I may; apologies if I have misunderstood you but I had a similar question put to me just last week. In that case, the customer had an existing MPLS L2 network and wanted to find a way to keep the L2 build broadly similar after migrating to VPN tunnels.

Its important to note that the VPN tunnel is a layer 3 entity; its IP to IP. Its not possible to segregate this L3 tunnel into a series of layer 2 VLANs, in the manner of an ethernet trunk.

Instead, what you need to do (as Gunther and Andy mention) is include the respective subnets in the 'encryption domain'.

Again, apologies if thats not what you're asking.

G

the_rock
Legend
Legend

Thats super valid point, it would be layer 3 "system" if you will, so the statement about segregating it into separate layer 2 entities may not work, agree.

Not sure if there is written statement anywhere about it, but I could not find one myself.

Andy

(1)
Moudar
Advisor

You have a very good point about the difference between l2 and l3 in this specific case

the_rock
Legend
Legend

I would agree with @G_W_Albrecht . By the way, whatever you need to advertise, just include it in VPN domain and ever since R80, you can have specific group as generic vpn domain in the object itself, but then you can assign different ones as per community (below screenshot)

Andy

 

Screenshot_1.png

0 Kudos
Moudar
Advisor

If the Interface VLAN that i need to send to the branch office is not defined in the firewall but only in the router (internal traffic)

How would the process of creating a new interface vlan on the firewall go?

Example:

add interface bond0 vlan 530
set interface bond0 state on

set interface bond0.530 comments "Print"
set interface bond0.530 state on
set interface bond0.530 ipv4-address 10.40.10.25 mask-length 24

 

what happens next?

0 Kudos
the_rock
Legend
Legend

That looks right. Well, just make sure its aded as part of enc vpn domain.

Andy

0 Kudos
Moudar
Advisor

that config will be done on the main office, what about the branch office configuration. Is it the same?

Do i need to consider this:

If you configure the switch ports as VLAN trunk, the Check Point Bridge interface should not interfere with the VLANs.

To configure a Bridge interface with VLAN trunk, create the Bridge interface with two physical (non-VLAN) interfaces as its subordinate interfaces (see Bridge Interfaces).

The Security Gateway processes the tagged packet and does not remove VLAN tags from them.

The traffic passes with the original VLAN tag to its destination.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Why would you use a bridge interface ? This will make many features unavailable! Both peers have their own Encryption domain - all networks should be included that have to be reached by clients from peer site.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Moudar
Advisor

I am not an expert here, but i am trying to learn!

In the branch office a Cisco switch will be connected to the firewall. How would the firewall configuration be ?

How would the switch understand that this traffic is tagged? I am trying to understand the process!

The branch office is 1575 small business appliance 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events