Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vladimir
Champion
Champion

Externally managed gateway as an Interoperable device?

As per documentation dating back forever, site to site VPNs between locally and externally managed Check Point gateways require us to define the remote unit as "Externally Managed Gateway".

This also entails defining the topology of the Externally Managed Gateway.

I've run into a situation where the peer is reluctant to provide their topology information and would like to know if:

1. Not specifying the topology will prevent this VPN from working

2. Could a remote unit be defined as the "Interoperable Device" to remove the need for topology definition

3. If [2] is possible, what is the benefit of defining the peer as "Externally Managed Gateway" when PSK is used?

I suspect that in cases when certificates are used and the remote peer's topology is properly defined, the ISP redundancy at the remote site could be taken advantage of but am not sure of the particulars.

7 Replies
Maarten_Sjouw
Champion
Champion

As long as you know that you need to allow certain IP's you can define a topology from there. The main difference between a interoperable and externally managed is that you can use permanent tunnels, when turned on on both sides. 

The thing is that when you don't know what lives at the other end you cannot set the allowed list for routing via VPN either.

Regards, Maarten
0 Kudos
Vladimir
Champion
Champion

If I am not aware what interfaces on the peer's side are internal and external, it is not easy to infer the topology:)

To add some spice, there is a NAT on the both sides of the VPN.

With Interoperable device, we are only concerned with the peer's public IP and the encryption domain, which simplifies things.

I would like to hear from CP if this is supported and if there any caveats I should be aware of.

0 Kudos
JozkoMrkvicka
Mentor
Mentor

AFAIK, the "Externally Managed Gateway" should be only Check Point devices (with GAIA installed). This will allow you setup VPN based on certificates.

"Interoperable Device" should be created only in case you need to establish VPN with another vendor.

Kind regards,
Jozko Mrkvicka
Vladimir
Champion
Champion

I am aware of the definitions, but am looking for workaround, since I cannot define the topology for the remote Check Point gateway, due to peer's reluctance in providing this information.

Configured without topology, the VPN fails and I am not sure if it is an expected behavior in this case, or if it is caused by other factors.

_Val_
Admin
Admin

Are the at least willing to provide you their VPN domain networks? If yes, interoperable device is a viable option. I do not see nay problem with your approach

0 Kudos
Vladimir
Champion
Champion

Thank you Valeri. 

I'll give it a shot with Interoperable Device and will report my findings.

0 Kudos
_Val_
Admin
Admin

Looking for ward to hearing  about your experience

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events