CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: Site To Site Vpn

  1. #1
    Join Date
    2013-05-26
    Posts
    5
    Rep Power
    0

    Default Site To Site Vpn

    Hi Team,

    I have Site to Site Vpn between CheckPoint R75.30 Cluster & ASG 525

    Now suppose Public / Private IP of CheckPoint => 111.111.111.111/10.0.32.1
    And Public / Private IP of ASG => 222.222.222.222/192.168.1.1

    Check Point LAN IP Pool => 10.0.32.0/24
    ASG LAN Pool => 192.168.1.0/24

    Now I'm able to Web GUI 192.168.1.1 from 10.0.32.5 (No Hide Nat)
    But I'm Not able to Web GUI 222.222.222.222 form 10.0.32.10(Hide Nat)

    10.0.32.0/24 => 192.168.1.0/24 => No Nat rule is confugured

    One i add https in the execluded services I'm able to access Web GUI on 222.222.222.222 from 10.0.32.10 but not able to access on 192.168.1.1 from 10.0.32.5

    Is there any way I can able to access local / live IP at the same time behind the checkpoint gateway

  2. #2
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: Site To Site Vpn

    One thing to remember about Check Point VPN in Simplified Mode is that they add the Remote Gateways IP into the Encryption Domain.

    As such as far as the Check Point is concerned then the 222.222.222.222 is part of the encryption domain of the 222.222.222.222 gateway. It will therefore attempt to encrypt traffic to 222.222.222.222 as well as the 192.168.1.0/24 network.

    By excluding https from the VPN then the https to the 222.222.222.222 is excluded from the VPN and so goes out over the network as regular https rather then being attempted to be encrypted over the VPN. Of course it also stops you connecting via https to the 192.168.1.0/24 network as well as the https is excluded from the whole VPN tunnel , not to specific IPs.

    sk44014 on the Check Point website knowledgebase explains exactly what to enter into the crypt.def to exclude the external address of the VPN Gateway from encryption domain on R7x This basically tells the Check Point Gateways managed by the Management Server not to encrypt traffic destined for 222.222.222.222. Traffic forming the VPN Tunnel, ie the IKE packets etc are not considered encryption in this case as they are the VPN tunnel itself.

    Depending upon your combination of Gateway and Management Software then you need to simply make sure that you read the correct Management Server and then Gateway combination to find the correct location for the file. You will also need to remember to do this when you upgrade the Management Server and Gateways to ensure that continues to do this exclusion.

  3. #3
    Join Date
    2013-05-26
    Posts
    5
    Rep Power
    0

    Default Re: Site To Site Vpn

    Hi Sir,

    Thanks for the response , its working fine

    Now my other issue is that if i have 222.222.222.222/29 live IP pool and my 192.168.1.2 is static natted to 222.222.222.224 & 192.168.1.3 is static natted to 222.222.222.225.

    I'm facing the same issue that unable to access 222.222.222.224 or 225 behind the checkpoint.

    So can i do the below changes.Like define the whole subnet .

    #ifndef NON_VPN_TRAFFIC_RULES
    #define NON_VPN_TRAFFIC_RULES (dst=222.222.222.222/29)
    #endif

    thnks once again
    Last edited by yualme; 2013-08-06 at 05:13.

Similar Threads

  1. Route traffic from Office mode VPN to another network over site-to-site VPN
    By 007me in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2011-05-20, 13:19
  2. Configruration VPN site to site between Checkpoint NGX and Router Cisco 1861
    By vikjava in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2010-04-28, 09:03
  3. Site to Site VPN not working together with Client to Site?
    By cglebbeek in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2009-12-21, 14:39
  4. VPN Topology missing - Can't enable Enterprise folder for site-to-site VPN
    By hotice_ in forum Check Point UTM-1 Edge Appliances
    Replies: 9
    Last Post: 2008-12-16, 16:25
  5. Site to Site VPN problem between Cisco 1721 & HP router
    By kranti in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2007-03-29, 03:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •