This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
Advisor
‎2024-04-22 12:58 PM

Site-to-Site VPN Deployment: 6500 Appliance to 1575 SMB Firewall

 

Hi

I am planning to deploy a Site-to-Site VPN connection between a 6500 appliance in our central office and a 1575 SMB firewall at a branch office. The primary function of the branch office firewall is to establish the VPN tunnel.

Are there any specific considerations I need to be aware of when configuring a Site-to-Site VPN between these two firewall models?

I would appreciate any relevant guides or best practices documents that can assist us with this deployment.

 

 

0 Kudos
14 Replies
the_rock
Legend
Legend
‎2024-04-22 03:14 PM

Hey bro,

Nothing special really. I had even seen people do it as permanent tunnel (per gateway option) and works fine.

Andy

0 Kudos
CaseyB
Advisor
‎2024-04-23 07:46 AM

If we are making the following assumptions:

  • Both firewalls are directly connected to the Internet.
  • Both firewalls are using static addresses.
  • No overlapping subnets.

Then as @the_rock  said, there shouldn't be anything special for you to do in this case. I would create a Star VPN Community with the 1575 SMB being the satellite, gateway to gateway VPN tunnel sharing, set permanent tunnels, and then choose the VPN routing option that makes sense. We like to route all Internet traffic back to HQ, but that is not everyone's preference.

If you are using the recommended method of certificates for this VPN connection, make note of when your certificates are set to expire as you want to avoid any outages that may occur with that.

Moudar
Advisor
‎2024-04-23 11:41 PM
In response to CaseyB

Hi

I think shared secret is the way we go for this installation.

The idea is to have same VLANs behind the HQ at the branch office (not all of them only 3-4), so that the users do not feel any change!

How can that be done? I mean having the same VLANs on both sides? Should we have a switch on the branch to get the VLANs?

0 Kudos
_Val_
Admin
Admin
‎2024-04-24 12:28 AM
In response to Moudar

You can only use a shared secret if the branch GW is managed locally or by another SMS. If both the main office cluster and the branch office are managed by the same management server, you don't really need it in the first place.

0 Kudos
Moudar
Advisor
‎2024-04-24 02:39 AM
In response to _Val_

You have a point there, the branch office should be added to SMS first (SIC), then a S2S should be created.

What about my question about VLANs, how to go with it?

0 Kudos
the_rock
Legend
Legend
‎2024-04-24 04:18 AM
In response to Moudar

As Val said, if both are managed by same mgmt server, then just use certificates. Otherwise, PSK is fine.

Andy

0 Kudos
CaseyB
Advisor
‎2024-04-24 05:46 AM
In response to Moudar

Extending L2 to remote sites is not really a networking best practice. The VPN component is L3, I do not have a good answer for you.

0 Kudos
Moudar
Advisor
‎2024-04-24 06:14 AM
In response to CaseyB

so what is the best practice to solve that problem?

0 Kudos
_Val_
Admin
Admin
‎2024-04-24 06:20 AM
In response to Moudar

If you have overlapping IP spaces between the sites, you will need to NAT one of the locations to different IPs.

0 Kudos
the_rock
Legend
Legend
‎2024-04-24 06:35 AM
In response to Moudar

As Val said, you have to do NAT here, there is really no other viable option.

Andy

0 Kudos
CaseyB
Advisor
‎2024-04-25 07:15 AM
In response to Moudar

Generally speaking, you would want all remote sites to be L3 with their own separate networks and VLANs. You said you want the VLAN to be the same so users do not feel any change, I'm not sure how your network would be setup in a way that providing them a different IP address would change their overall experience. I know our end-users have no idea what IP they are getting and could not careless, nor do they notice a difference roaming between sites.

0 Kudos
Moudar
Advisor
‎2024-04-25 07:27 AM
In response to CaseyB

Maybe i was not clear above. it is absolutely not important to have same VLANs on both sites. What is important is to have connectivity.

If VLAN 419 is on central site, no problem to create VLAN 420 on branch site (different subnet). What i need is a guide on how to do it? after the creation of a site to site VPN. So how to proceed?

0 Kudos
the_rock
Legend
Legend
‎2024-04-25 07:28 AM
In response to Moudar

That should be taken care of by ensuring enc. domains include subnets for thise vlans...makes sense?

Andy

0 Kudos
Moudar
Advisor
‎2024-05-06 02:35 AM
In response to the_rock

Is using VTIs is a possible solution ?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events