what information do we need from the remote site customer when creating site to site VPN?
You need to exchange information with the remote site customer as he needs to configure the VPN on his side as well and therefore needs to know the external IP address of your VPN gateway, encryption domain, encryption settings and other data.
Best practice is to fill out a VPN Datasheet like this one:
Encryption Domain / Crypto Map:
Hash / Data Integrity:
Pseudo Random Function (PRF):
SA Lifetime / Renegotiation time: 1440 min. (Default)
VPN Phase 2 (IPSec)
Perfect Forward Secrecy (PFS): Yes / No
Group 1 (768 bit)
Group 2 (1024 bit)
Group 5 (1536 bit)
Group 14 (2048 bit)
Group 19 (256-bit ECP)
Group 20 (384-bit ECP)
Aggressive Mode: Yes / No
SA Lifetime: 3600 sec. (Default)
Disable NAT inside the VPN traffic: Yes / No
VPN Interesting Traffic
Inbound from Site 2:
Outbound to Site 2:
At a very high level:
It gets a bit more complicated if both ends of the VPN are using the same address space.
See more here: Site to Site VPN R80.10 - Part of Check Point Infinity
A great worksheet, just want to emphasize that the Phase 1 SA Lifetime is expressed by Check Point in minutes, while the Phase 2 SA Lifetime is expressed by Check Point in seconds. Most other vendors express both values in seconds.
If these values are mismatched between the two sites the VPN will still start and appear to work, but for an interoperable VPN situation in particular Delete SAs don't always work correctly. This will cause seemingly random hangs of the VPN tunnel that can be rectified by killing the tunnel via "vpn tu", at which point the VPN will immediately pop back up and start working...until the hang happens again. Also watch out for early tunnel expirations due to a Data Lifesize limit being reached or a VPN idle timer expiring. Enabling Permanent Tunnels (and enabling DPD with it for interoperable VPNs) is strongly recommended.
-- My book "Max Power: Check Point Firewall Performance Optimization" now available via http://maxpowerfirewalls.com.
For Phase 1 Encryption Algorithm:
Is it CBC or ECB?
Pretty sure it is CBC: sk105119: Best Practices - VPN Performance
-- My Book "Max Power: Check Point Firewall Performance Optimization" Second Edition Coming Soon
That is very helpful
Retrieving data ...