This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
FtW64
Participant
‎2023-05-22 11:53 PM

RemoteAccess in combination with s2s IPSec (topology)

Hi all,

I have a question about IPSec VPN in combination with Remote Access VPN (IPSec).

Please consider the below topology. It consists of three Check Point clusters (1, 2, and 3) at three separate locations. All clusters have their own connection to the Internet. Between clusters 1 and 2 a backbone network exists (routing traffic between Net1 and Net2). There is a site-2-site IPSec VPN between cluster 3 and 1 and between cluster 3 and 2 (both not shown in the drawing). The VPN domains of clusters 1, 2, and 3 contain Net1, Net2, and Net3 respectively. This works like a charm.

 

                                                            +---------+
                                                            |         |
                                                    ISP1 ---+ cluster +------- Net1
                                                            |    1    |
                                                            |         +---+
                                                            +---------+   |
                                                                          |
        +---------+                                                       |
        | cluster |                                                       |
Net3 ---+    3    +--- ISP3      I N T E R N E T                          | backbone
        |         |                                                       |
        +---------+                                                       |
                                                                          |
                                                            +---------+   |
                                                            |         +---+
                                                            | cluster |
                                                    ISP2 ---+    2    +------- Net2
                                                            |         |
                                                            +---------+

 

Now the question. Is it possible to configure a RemoteAccess VPN where users connect to cluster 1 and have access to Net1 (easy), but also to Net2 (routed over the backbone) and Net3 (using the site-2-site VPN between clusters 3 and 1)?

And, as a bonus challenge, can we configure a backup RemoteAccess VPN (manual selection by users, no MEP) that will allow remote users to connect to cluster 3 and have access to Net1, Net2, and Net3 as well?

Thanks in advance!

Regards,

-Frank

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2023-05-23 11:54 AM

Yes, it is possible to do.
Your Remote Access encryption domain would need to be configured with the relevant networks behind the three clusters and be configured on Cluster 1 and Cluster 3.
However, there is no way to "force" users to use Cluster 1 first, they can choose to use either Cluster 1 or 3.

0 Kudos
FtW64
Participant
‎2023-05-23 11:30 PM
In response to PhoneBoy

Thanks! I guess I overlooked the possibility to specify specific encryption domains for RemoteAccess and the Site-2-Site VPN.

I will give this a try.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events