This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
Advisor
‎2024-05-10 09:35 AM

VPN Site-to-Site, Gateway at other site!

Hi, 

I got this topology:

new-vpn.png

Where A-GW-1 & A-GW-2 creates a cluster on the central office. 

vIOS router is representing the internet.

B-GW is an embedded 1575 gateway and is a branch office with own external dynamic IP address! I wonder here how to add B-GW to SMS when it has a dynamic IP! I mean when the ISP changes the IP how would it keep connection to SMS?

What is needed is for VPC15 to have its gateway at "switch-center"

Switch-center (central office) has many interface VLANs, the interface VLAN that is needed as a gateway to VPC15 is VLAN10 10.10.10.14

What I read is that 1575 does not support directional VPN enforcement so VTI is not an option! correct me if I am wrong

What I think would work is using NAT in some way, which I don't know!

So, any help is appreciated! 

0 Kudos
17 Replies
the_rock
Legend
Legend
‎2024-05-10 04:19 PM

Hey, is this related to the post you had the other day, where Emmap mentioned to enable control connections setting on the management server? That did not help?

Andy

0 Kudos
Moudar
Advisor
‎2024-05-11 12:47 AM
In response to the_rock

The problem that I had on the other post was that SMS could not get connected to B-GW through the internet. The answer that Emmap gave was correct to activate static NAT under SMS object settings.

The question here is how VPC15 can have its gateway on the other side?

0 Kudos
the_rock
Legend
Legend
‎2024-05-11 04:34 AM
In response to Moudar

Can you explain little, sorry? Im not sure what you mean "have its gateway on the other side" and what exactly is it supposed to connect to?

Andy

0 Kudos
Moudar
Advisor
‎2024-05-12 02:08 AM
In response to the_rock

If you take a look at the topology, you can see VPC15 which sits behind B-GW. VPC15 needs to have its gateway on the other side, on switch-center. Is it possible to do that? The goal is to have for example three different VLANs behind B-GW which will talk to servers behind the A-GW-Cluster.

0 Kudos
the_rock
Legend
Legend
‎2024-05-12 05:19 AM
In response to Moudar

Im still not clear, sorry...what do you mean have its gateway on the other side?

0 Kudos
Moudar
Advisor
‎2024-05-12 06:04 AM
In response to the_rock

Assuming VLAN 510 at the central office grants users access to various servers and services, how would users in the branch office (connected through B-GW) reach the same resources (all resources are sitting behind the cluster at the central office) while being located behind the Branch Gateway (B-GW)?

 

Let's say the branch office needs multiple VLANs beyond just a user VLAN. If we connect a switch to the Branch Gateway (B-GW), and this switch will have 5 separate VLANs, how would the B-GW firewall handle routing traffic from those 5 VLANs to the central office?

Let me know if this clarifies things better.

 

0 Kudos
the_rock
Legend
Legend
‎2024-05-12 06:22 AM
In response to Moudar

I would probably need to see it for myself, but sounds like you need to include all those vlans in enc domain and also enable vpn routing inside the vpn community as per below.

Andy

 

Screenshot_1.png

0 Kudos
Moudar
Advisor
‎2024-05-12 06:34 AM
In response to the_rock

sounds like "To center or through the center..." is the option needed ! so running OSPF on both sides maybe an option?

 

Another question about user mode, when trying to change from kernel mode to user mode I see this message:

"Important note: this action might have an effect on GW CoreXL split" 

What effect could that be?

0 Kudos
the_rock
Legend
Legend
‎2024-05-12 06:43 AM
In response to Moudar

Kernel mode is limited

https://community.checkpoint.com/t5/General-Topics/R80-x-Performance-Tuning-Tip-User-Mode-Firewall-v...

By the way, for dynamic routing, I would STRONGLY recommend using UNNUMBERED VTIs for vpn tunnel, I did extensive lab testing with this and appears thats best way to make it work. What would happen is you would see new vti pop up in topology and you can assign same VIP as external interface its based off of, dont worry, thats fine, wont give you any issues.

Andy

0 Kudos
Moudar
Advisor
‎2024-05-12 06:46 AM
In response to the_rock

VTI, do we need directional VPN configs? 1575 does not support that!?

0 Kudos
the_rock
Legend
Legend
‎2024-05-12 06:47 AM
In response to Moudar

Yes, but as far as 1575, I really dont know, literally never work with SMB, sorry : - (

0 Kudos
Moudar
Advisor
‎2024-05-12 07:00 AM
In response to the_rock

So VTI is not an option! What other option do we have?

0 Kudos
the_rock
Legend
Legend
‎2024-05-12 07:05 AM
In response to Moudar

You can try VTI, but maybe confirm with TAC if its possible on smb.

Something like below.

Andy

 

tunnel ID is only relevant if 3rd party tunnel, so say if its PAN, ID has to match on both ends

 

Screenshot_1.png

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-13 08:31 AM

Is the 1575 managed by the same management as A-GW and B-GW?
Are A-GW and B-GW a ClusterXL cluster or are they completely independent?

In any case, the object representing the 1575 needs the Dynamic IP option checked in the General tab.
Note that only CERTIFICATES (not Shared Secret) can be used on VPN that involve DAIP endpoints (this is by design for security reasons).
The DAIP gateway periodically generates traffic so the other end is aware of its IP.

Not clear on what the proposed traffic flows are in this scenario, nor is it clear that you need to use VTIs to achieve your desired ends.
If you're not using VTIs, the networks accessible via the VPN are a function of the local Encryption Domain on the relevant gateways.

0 Kudos
Moudar
Advisor
‎2024-05-13 10:59 AM
In response to PhoneBoy

A-GW-1 and A-GW-2 form a cluster, while B-GW represents the branch office.

B-GW will be administered by the same Security Management Server (SMS) responsible for the A-GW cluster. In this scenario, do we still require certificates?

The intention is for B-GW to exclusively function as a VPN device, with all traffic inspection governed by policy rules set on the A-GW cluster.

I am uncertain about the support for Virtual Tunnel Interfaces (VTI) on the 1575 model, especially considering the absence of directional VPN capabilities.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-13 12:24 PM
In response to Moudar

VPN peers that have DAIP must use certificates, regardless of whether the peer is managed by you or someone else.
Considering all gateways are managed by the same management, this should not be an issue.

With ClusterXL, you cannot have one member do exclusively VPN and the other do traffic enforcement for your internal clients.
They would have to be defined/managed as two separate (not clustered) gateways to achieve this separation.

Directional Match (as described here: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Con... ) is not supported on SMB appliances.
It has nothing to do with VTIs, which are supported on SMB: https://support.checkpoint.com/results/sk/sk178604

the_rock
Legend
Legend
‎2024-05-13 01:29 PM
In response to PhoneBoy

Correct me if Im wrong when I say this, but Im fairly sure this direction match setting is mostly used with route based VPNs? I had never seen it for regular domain based tunnels, at least I cant remember.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events