AnsweredAssumed Answered

Help on multiple IPSEC local domains configuration

Question asked by Checkpoint CMLisboa on Nov 28, 2017
Latest reply on Jun 29, 2018 by Dameon Welch Abernathy

Hello to all.

This is my first post on this community groups, I help on the daily management of a VSX cluster R77.30 Checkpoint installation, with virtual Blades. I never used Checkpoint before (but used lot of other FWs) so even after 2 years making some admin on this I still have LOTS of questions on my head about this solution. I dont have any formal training on CP and unfortunately it looks like my "boss" doenst care too much about it, so i will try to post my first questions here looking for someone to give me some light on the problems

 

We have setup multiple IPSEC site-to-site VPN tunnels. five (5) in this moment but will increase sooner or latter. We are struggling with problems regarding the local domains configurations. As each each tunnel needs some configuration that its different from the others, in the end we must have multiple local domains working. Sometimes we need fully different networks, and other times need some networks that are subnets from anothers.

 

As I can have just one local domain in a gateway VPN, I ve created a group and added the multiple networks that are needed to establish the tunnels to the multiple entities. This is causing erros in the IKE phases because, i think, sometimes the local networks doesnt match with the nets that the Peers are expecting.

 

The other problem that i will not talk for now is that i cant debug IPSEC via command line because I have lots of questions  on this area too, and as of today I didnt find yet on our multiple blade plus management configuration where I shoudl enter the debug VPN mode and where to look for the logs.... i try to enter on all the blades and gateways and never find any ike logs.

 

Ive already been told that maybe i wiil have do edit some filesystem files and configure that the multiple local domains a need for each VPN connection. But i cant find nothing on this matter googling around. As if no one had this kind of needs!

I am thinking also, and that is an idea od mine, if one other possible solution could be creating adicional gateways just for taking care of a VPN connection. one gateway for each IPSEC tunnel, so i can have non coincident local domains because each gateway would have its own configurations.

 

Sorry I am a Noob on all this and i need to find a solution because the number os IPSECS will increase sooner and this problem will then get worst in each VPN increment!

 

Regards,

Luis Neves

Outcomes