Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
praveshnayal
Explorer

Site to Site IPSEC VPN

Kindly share info on below.

1. When is user.def file used and what is the use of user.def file in VPN?

2. How to configure Site to Site VPN when the remote end is route based VPN eg. Fortigate?

0 Kudos
Reply
2 Replies
firewall1-gx
Contributor

Greetings,

1. The file user.def.X is a placeholder for user-defined implied rules that can be added by the administrator (in Check Point INSPECT language). For example, specific code for VPN negotiation, allowing/blocking specific traffic, etc. All the changes made to this file are transferred to the managed Security Gateway / Cluster during policy installation.

Tipically you need customize user.def for any VPN issues, more traditional is when after troubleshooting you couldn't specific a network for a peer remote, using user.def you can force that.

2. Check Point support VPN based em Domain and Route based, its depend on your need and your topology. Have in your mind that not always you need to configure a VPN on CP side in route based scheme because peer remote work in route based mode.

More details you can see in:

Location of 'user.def' files on Security Management Server (checkpoint.com)
Creating customized rules for Check Point Security Gateway - 'user.def' file

Alisson Lima

0 Kudos
Reply
Bob_Zimmerman
Advisor

I strongly recommend against user.def modifications if you can avoid them. They are easy to forget when upgrading the management.

As for a site-to-site VPN with a route-based peer, you just need to get the negotiation to match. I would expect a route-based VPN to negotiate 0.0.0.0/0 to 0.0.0.0/0, but that is not necessarily the case. You can get a Check Point firewall to negotiate 0.0.0.0/0 to 0.0.0.0/0 using the "One tunnel per gateway pair" tunnel management setting in the community. Everything else can be done like any other community-based VPN. If you aren't sure about the negotiation, you can get some samples using IKE debugging (vpn debug ikeon), then viewing the debug log (ike.elg or ikev2.xmll).

You also can set up the VPN as route-based on the Check Point side. This involves creating a VTI on the Check Point firewall and setting the peer object's encryption domain to an empty group. You still need a VPN community, as that is where you set the parameters for phase 1 and phase 2 of the negotiation. The advantage of this method is it allows the firewalls to talk with each other via protocols like OSPF which want to work on an interface. If you aren't using dynamic routing between the two, you generally don't need a VTI.