This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Klapesh_3477
Explorer
‎2019-11-24 11:28 PM
Jump to solution

Site to Site VPN

We have facing the Error in Site to Site VPN Tunnel,

 

Scenario is : We have Two Site , Site A and Site B, Both the Site we have installed Checkpoint Firewall Device With HA & Both Site Management server are Same is located on Site A.

 

When we are Trying to Establish the VPN Tunnel Between Both Site , Then Site B Device is Stop the Responding and Policy Installation is Goes to Failed , ( Means That remote Site Device is Stop to Communicate With Management server ) Note : we have added Remote Customer With Public Ip Address In Our Exiting Management server .

 

 

Regards

KP

0 Kudos
2 Solutions

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2019-11-25 02:02 AM
Jump to solution

Did you follow Site to Site VPN Administration Guide R80.30 ? Which kind of VPN Community is used ? Please check that the Management Connections still go over internet when VPN is enabled (see excluded services!).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
3 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-11-25 02:02 AM
Jump to solution

Did you follow Site to Site VPN Administration Guide R80.30 ? Which kind of VPN Community is used ? Please check that the Management Connections still go over internet when VPN is enabled (see excluded services!).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
mdjmcnally
Advisor
‎2019-11-25 03:02 AM
In response to G_W_Albrecht
Jump to solution

This will be because as others stated and suggested is that you have a Site to Site VPN between the 2 sites.

 

When you establish a Site to Site VPN between Check Point Gateways/Clusters then it includes the External Interfaces in the Encryption Domain.

 

As such when the Management Server that is likely part of Site A Enc Domain tries to communicate with the Site B Cluster then tries to go over the Site to Site VPN.

Easiest way I find to solve this is with

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

To exclude the Site B Gateway and Cluster IP from the VPN.

Will be the $FWDIR/lib/crypt.def file that edit if all on the same software version

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Is the SK article that states what the location of crypt.def file is depending on Management and Software version.

 

This ensures that the Check Point Management Traffic does not attempt to go via the VPN and also that any Platform Management, ie WebUI, SSH etc also does not go over the VPN.

This traffic is all encrypted anyway and means that if the VPN is down then can still connect.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top