Re: VPN SITE TO SITE

GSecurity · ‎2024-09-19

Good morning, dear friends,

I am deploying the checkpoint spark equipment in 5 remote locations, managed from smart cloud, which I will link to the client's main location through a site-to-site tunnel, at the end of the main location the firewall is a fortigate. The requirement of this tunnel is that each remote location has communication only and exclusively to the central location, in this case would I use a meshed or start community?

Another question I have is at the end of the remote locations where the spark checkpoint gateways will be, the internet router provides a netted IP (192.168.1.0/24), the WAN interface of the Gateway has an IP of this segment; at the end of the main location the Foritgate does have public IPs in its WAN interface. In this case, with other firewalls I would have to configure a Peer ID at each end but in checkpoint I do not identify how to configure this Peer ID.

Best regards

the_rock · ‎2024-09-19

I think simple net diagram would help us here. Question 1 ) Yes, sounds like star community is fine, since you can use central location as central gw and other ones as sateelites

Question 2) I never ever heard of peer ID on CP side, so not sure if that setting even exists. Though, it might be somehwere in smb gui page, cant confirm, as I literally ever work on those devices, but in regular Gaia, I had never seen it, unless you use VTIs, but even in such case, it ONLY asks to enter peer name, which is essentially name of interoperable object you configure representing other side

Andy

the_rock · ‎2024-09-19

This is what I was referring to.

Andy

GSecurity · ‎2024-09-19

Hi, thanks for your reply,

I don't know where to add this, please help me

Regards

the_rock · ‎2024-09-19

Just working on some Fortinet stuff, will spin up quick demo smb lab and see if option is there. Otherwise, we can do remote tomorrow if you are allowed to, let me know.

Btw, that option I pasted is on regular Gaia, plus, may not apply to you, as its mostly used for ROUTE based vpn tunnels, not domain based ones.

Andy

the_rock · ‎2024-09-19

@GSecurity

While Im waiting for customer/Fortinet guy to finish what they need to finish, I spun up the lab in the meantime and this is what Im referencing from the screenshot. BUT, again, if you are going to build domain based vpn, none of this is relevant. Howveer, if it will be route based (which I always recommend to people now days), then it matters. Anyway, message me directly tomorrow if you can do remote and happy to go through it together.

Andy

See my post abour route based tunnels.

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

GSecurity · ‎2024-09-19

Hi, I wrote to you directly. Thanks

the_rock · ‎2024-09-19

Responded...just send me your email, lets connect offline, easier.

Best,

Andy

the_rock · ‎2024-09-20

Hey Gerardo,

Thanks for your time on the remote today and apologies for my abysmal Spanish :(. Anyway, we agreed you would configure route-based VPN tunnel and test it out. If any issues mate, just text me or email and we can do another zoom meeting.

Best,

Andy

And here is Spanish translation 🙂

***********************************

Gracias por tu tiempo en el control remoto hoy y disculpas por mi pésimo español :(. De todos modos, acordamos que configurarías un túnel VPN basado en rutas y lo probarías. Si tienes algún problema, amigo, envíame un mensaje de texto o un correo electrónico y podemos hacer otro zoom. reunión.

the_rock · ‎2024-09-20

Hey bro,

I waited 10 mins in zoom, but no one showed up, so I closed it. Im good for another 30 mins.

Andy

Are you a member of CheckMates?

VPN SITE TO SITE