VPN Communities vs Traditional Mode VPN

[lammbo]

Hi all,

Let me preface by saying I have read and understand "CheckPoint_NGX_VPN_Guide", all 484 pages... (OK, most of them and I'm sleepy now zzzzzzz).

I was wondering if anyone had any "real world, hands-on experience" thoughts they would like to share on the merits or drawabacks on these 2 methods and possibly snags they ran into while converting.

Info on my setup:
I am curently running NGX at most of my sites (and will finish upgrades on the rest within 2 months). Once my upgrades are completed, I will be re-writing all of my rulebases from scratch and cleaning up in general. I have 6 sites (that I manage) all together: 2 with NGX SPLAT active/passive cluster and 4 on Nokia (IPSO 4.0) using VRRP active/passive clusters. I also have 2 seperate Management servers in HA at 2 different sites to serve in disaster recovery purposes.

To date, all of my VPNs are using traditional mode VPN (pair of rules for each tunnel, 1 encrypt and 1 decrypt). I have no personal or professional issue with the "old way" to do things and actualy find it quite easy. As far as site-to-site VPNs are concerned, all of my firewalls are participating in what could be called a meshed VPN. However, I also have some site-to-site VPNs with customers from my "hosting" center at an unmanned site in Atlanta. The customer VPNs are limited to the few web servers each one needs access to and limited to specific protocols necessary to operate and nothing more.

Most of the other VPNs are simple, all LAN segments can get to other LAN segments at all sites, same with DMZ zones where they exist. This makes it easy to maintain redundancy between sites - AD replication, email, intranet web, etc.

The one issue I'm running into now is VPN-1 Edge devices, which are apparently supported only using simplified mode VPN Communities.

For those of us who know VPNs, there obviously is the workaround with manual tunnels, but the 1 issue it does not fix is SecureClient VPN sessions. Since the Edge boxes are not part of the main multiple-site topology, my users must connect to either my main network or their own - connecting to both simultaneously is not possible. Of course, the edge boxes are just temporary but it would be nice if they were meshed in from the start.

Anyway, as I stated earlier, I'm looking for real life thoughts on this. Any you can spare time for would be appreaciated and may help me decide to stay old school or go new.

[chillyjim]

Personally my brain likes the traditional mode, easier for me to think about.

That being said, many new features (like route-based VPNs) are only supported in simplified mode.

I have not found any real functional difference between the two.

In the long run, you will be better served by converting to simplified mode.

[Lackie]

I used to be a die hard Traditional mode user and hated Simplified. When Simplified came out I refused to change to it. With the threats of Check Point not including Traditional mode in thier next release (at the time R55) I converted and love it. I find it much cleaner and easier to set up. I also agree with Jim and have not found any functional difference between the two. Whatever you can do in Traditional mode you can do in Simplified.

[Sergej]

All vendors looking toward customer need create some ways to simplify VPN configuration. Cisco have EasyVPN, DMVPM (Dynamic Multipoint VPN) and some other new (can't remember abbreviation)
Checkpoint have own vision and solution.
Fortigate do not put any improvements to VPN (official point of view: customers only want hub-and-spoke).
It is simple to configure site to site VPN for two sites. Try to configure full mesh for 30 sites :)

[flawless_cowboy]

I think simplified is the way to go on a large scale VPN deployment. We probably have about 300 VPNs and I dont know how we would manage it without communities. They made made the build out much simpler and easier to manage. That being said if you only have a few VPNs and are comfortable I dont think it really matters.

[joris]

Hi,

we're gonna migrate to simplified VPN. Al the VPN connecties we have are to different customers sites. Should we create for every customer a different community? Or should we place all customers with the same VPN encryption settings in the same community?

cheers,
-jd-

[chillyjim]

It depends on the access you need for the VPNS. If everyone goes to the same place then yes put them all in one community but if some go to server A and others to server B, and so on, separate communities.