This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mbennett1
Employee
Employee
‎2021-12-28 09:50 AM

Unnumbered VTI to 3rd party gateway

Hey Everyone I created a technical whitepaper on how to connect and send all traffic through an unnumbered virtual tunnel interface (VTI) 

Labels
Preview file
1205 KB
7 Replies
the_rock
Champion
Champion
‎2021-12-30 10:30 AM

Correct me if Im wrong when I say this, but I always set up route based VPN (in this case either with numbered or un-numbered VTI) with empty enc domain for BOTH CP gateway and 3rd party and it always works.

Bob_Zimmerman
Advisor
‎2021-12-30 01:04 PM
In response to the_rock

You only actually need one of them to be empty. The purpose of the empty group for the encryption domain is to break the domain-based logic for flagging "interesting" traffic. That logic says if the source is in my encryption domain and the destination is in a peer's encryption domain, flag the connection for encryption to that peer. This matching is done before any NAT can be performed. By setting one encryption domain to an empty group, either the source isn't in yours, or the destination isn't in the peer's.

That leaves the traffic free to route "out" the VTI, which is what triggers encryption with a route-based VPN.

The encryption domains are also used for a sort of anti spoofing. If you've ever seen "According to the policy, the packet should not have been decrypted", that means the packet was decrypted from a particular peer, but either the source was not in that peer's encryption domain or the destination was not in your encryption domain. Similarly, "Received a cleartext packet inside an encrypted connection" means the packet was received in the clear, but the source is in some other firewall's encryption domain and the destination is in yours, so it should have come over a VPN between those peers. Route-based VPNs' use of an empty group for one or both of the encryption domains means you should never see either of these, though you may still see normal antispoofing drops.

the_rock
Champion
Champion
‎2021-12-30 01:08 PM
In response to Bob_Zimmerman

@Bob_Zimmerman ...we tried to make it work that way many times and even TAC could not figure it out, so we finally opted for empty groups on both ends and never had an issue. 

Bob_Zimmerman
Advisor
‎2021-12-31 01:18 AM
In response to the_rock

Weird. I've set up route-based VPNs with an empty group on only one peer in at least 30 different management domains. It definitely works in general. I wonder what was wrong.

the_rock
Champion
Champion
‎2021-12-31 04:23 AM
In response to Bob_Zimmerman

We even worked with escalations team and could not get it working on 3 different tunnels. But as soon as we did empty group on both sides, we never had an issue.

Tobias_Moritz
Advisor
‎2022-01-03 04:47 AM

@mbennett1 Is there any reason why you defined 3rd party peer object as "external managed checkpoint gateway" instead of just "interoperabel device"? You even named it "cisco", so I guess it was no CP box 🙂

0 Kudos
Duane_Toler
Advisor
2 weeks ago

Can you elaborate on configuration of the unnumbered interfaces for a cluster?  This part was missing from the PDF.  Thanks!

0 Kudos