two clusters in MEP + VPN + Single SmartCenter == possible?

[newby]

Hello gurus!

I've crawled through documentation, completely lost and need and advice. We have two datacenters, with a NGX R65 HA clusters in both, managed by a single SmartCenter, protecting interconnected big LAN segment, 10.0.0.0/8. I need the following:

1. Redundant access for SecureClients (not a problem)
2. Redundant VPNs from _both_ clusters to few 3rd parties gateways with different encryption properties. (Not Checkpoint)
3. Ideally managed from one SmartCenter (really large database)

Independently, this tasks are not hard, but when together there are all sorts of errors, from VPN domain mismatch to overlapping communities on secure client.

Simplified details:

FW1: cluster in HA mode.
eth0 - external, real ip, let it be 11.11.11.11.
eth1 - DMZ, say, 192.168.11.1/24.
eth2 - internal, say, 192.168.1.1/24, to the core routers and 10.0.0.0/8.

FW2: cluster in HA mode.
eth0 - external, realip, let it be 22.22.22.22.
eth1 - DMZ, say, 192.168.22.1/24
eth2 - internal, 192.168.2.1/24, to the core routers and 10.0.0.0/8.

Both firewalls policies are in traditional mode.

The default routing from the core determined on the core and can be via FW1(192.168.1.1) or via FW2(192.168.2.1). The rules on both firewalls are simular. Let's assume the routing on the core is via FW2 now.

The question:
There's 3 external ciscos i need to make tunnel with, with different encryption. both DMZ and 10.0.0.0/8 should be able to use this VPN. I have separate NAT address for each one. Do i have to setup one star with meshed center or do i have to setup 6 individual stars/meshes, 3 on each gateway?
Also, what encryption domain should i set, that would not produce "overlapping encryption error!" on secure clients?

Also, if i have a traditional mode configuration, and there's a rule:

src 10.0.0.0/8 -- dst some_dst -- any_proto -- action Encrypt, with encryption corresponding to some_dst's VPN properties

, why does checkpoint send it in clear unless i include 10.0.0.0 in encryption domain? I thought it should work like this only in simplified mode, and in traditional mode the contents of Action field determines the encryption.
When i include it in encryption domain, i have working connections from internal to this 3rd party, but all secuRemote clients could not download the topology because of overlapping encryption domain! And if i remove ay overlaps, then on second firewall there would be no 10.0.0.0/8 in encryption domain, and if core change default route because of some disaster it will break all VPNs to outside ;-)

I could solve this all just by making 2 ( smart center + cluster ) pairs and managing them separately, but it's x2 work. Is there any other way?



Note to forum keepers: i posted this to clustering, if you feel there's more appropriate section -- feel free to move this topic.

[Thorpuse]

Quote:

Originally Posted by newby

The question:
There's 3 external ciscos i need to make tunnel with, with different encryption. both DMZ and 10.0.0.0/8 should be able to use this VPN. I have separate NAT address for each one. Do i have to setup one star with meshed center or do i have to setup 6 individual stars/meshes, 3 on each gateway?
Also, what encryption domain should i set, that would not produce "overlapping encryption error!" on secure clients?

Ok... first point - you can set a different encryption domain for Remote Access VPN as you can set for Site-Site VPN. Set this in the Firewall object where you set the VPN domain.

Re: Encryption domain - the problem you'll have will be that the domains for site A and B overlap for the 10/8 space. If you can eliminate this overlap via NAT and use the NATted values for the encryption domain, then you only need one star community, with local gateways as the center and remote devices as the spokes. This assumes that the encrpytion settings are the same for all of these sites etc. If you can't seperate the 10/8 domains, you'll need to look at using route-based VPNs rather than domain-based. I've not had a lot of experience with this, but I believe this can work cross-vendor with Cisco. I hope your peers know what they're doing if you go down that path!

[newby]

Thanks for comments, Thorpuse!

Quote:

Originally Posted by Thorpuse

Ok... first point - you can set a different encryption domain for Remote Access VPN as you can set for Site-Site VPN. Set this in the Firewall object where you set the VPN domain.

I did so. I've set up few dummy networks, and set two different networks as remote vpn community on each firewall. Then i've enabled backup fws, and i can connect via secure client to both -- unless there's overlapping in _regular_ encryption domain (10/8). Then SecureClient just don't create site because of overlapping (and i think on those machines where it's installed it would break at the time the next topology update will take place).

Quote:

Originally Posted by Thorpuse

Re: Encryption domain - the problem you'll have will be that the domains for site A and B overlap for the 10/8 space. If you can eliminate this overlap via NAT and use the NATted values for the encryption domain, then you only need one star community, with local gateways as the center and remote devices as the spokes. This assumes that the encrpytion settings are the same for all of these sites etc. If you can't seperate the 10/8 domains, you'll need to look at using route-based VPNs rather than domain-based. I've not had a lot of experience with this, but I believe this can work cross-vendor with Cisco. I hope your peers know what they're doing if you go down that path!

Three questions:
-----------
Lets assume i have one spoke:
then i could create one star community, set encryption domain to 10/8 on primary firewall, and something on secondary. The connections from 10/8 encrypted and everything working. when i change default routing and all packets go via secondary firewal, how would it know that is should encrypt them?
------------
Also, lest assume i have:
1 star community (FW1 and FW2 as center)
SP1, SP2, SP3 -- three spokes in this community, as interoperable devices, with different encryption properties specified in this devices.
3 rules (traditional mode, remember?):
rule1 src10/8 dst_SP1_domain SP1_ports Encrypt(where defined peer gateway and encryption methods, specific for SP1)
rule2 src10/8 dst_SP2_domain SP2_ports Encrypt(settings exclusive for SP2)
and so on in rule3.

I expect this to work as: packet comes, matched against rulebase, and if match -- then it encrypted with corresponding properties and send to corresponding spoke. Am i right? Or do community setting override manual settings? Also, do i have to modify vpn_route.conf file in such case?
------------
Also, let's assume i have 3rd variant:
3 star communities on FW1 (FW1-SP1_comm, FW1-SP2_comm, FW1-SP3_comm)
3 star communities on FW2 (FW2-SP1_comm, FW2-SP2_comm, FW2-SP3_comm)
this suites the restriction that no 2 gateways can make a connect via 2 or more commmunities.
next i create security rules and dedicate 6 NAT ip addresses -- pair per spoke. spoke set up that they accept connections from this ip addresses: FW1-to-SP1.ip, FW1-to-SP2.ip, etc.
Then I NAT 10/8 with FW1-to-SP1.ip if dest is SP1_net, etc.
I set encryption domain on each firewall, containing that NAT ip (i.e. on FW1 it would be FW1-*.ip).
as a result, i have no overlap, and hopefully secure client will eat it up.
Would this scheme work, gurus? i can be wrong, but imo in this case packet comes from 10/8 to SP1 via FW1, nated by FW1-to-SP1.ip, and send in clear because 10/8 is not in FW1's encryption domain ;-(



Personally, i would just love to make route based VPNs and all, i generally trust config files more than GUI's "select encryption domain"-thingy, i just can't find a good howto to make it between checkpoint and non-checkpoint products. Especially when i do not have access to 3rd party devices ;-)

[newby]

Moderators, i think it's related to VPN more than to clustering after all ;-)

Please move this thread to VPN board if you think it's more appropriate.

[Thorpuse]

You can't use Traditional mode policy and VPN Communities. If you're using traditional mode, then your VPN tunnels are point-point, and you'll need to set up each individually. I don't believe you can use route-based VPN with traditional mode policy.

Re RAS VPN Domain - The domain on both gateways needs to match completely. You can't do partially overlapping VPN domains with Remote Access without errors. I'm still in the testing process, but Endpoint Connect may deal with this differently.