CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 8 of 8

Thread: Need some help for site-to-site VPN

  1. #1
    Join Date
    2012-10-25
    Posts
    38
    Rep Power
    0

    Default Need some help for site-to-site VPN

    Hello all,

    I'm working on setting up a VPN between two sites (A and B) we own.
    VPN will be established between two clusters of IP390 R75.30.

    Here is what it looks like :
    [usersA] --- [checkpointclusterA] --- [INTERNET] --- [checkpointclusterB] --- [INTRANET + INTERNET2]

    Users on site A have to access to our INTRANET and INTERNET2.
    VPN will be established between checkpointclusterA and checkpointclusterB.

    So I want to configure a "meshed" (not really because only 2 clusters) domain based vpn.
    Encryption domain set on checkpointclusterA will be (obviously) usersA network.
    How do I set Encryption domain on checkpointclusterB ? I know smartDashboard won't agree if I don't set an encryption domain, so can I create a group with "any" inside ? maybe creating a blank group ? Does someone know ?

    Maybe it's not the good way to setup my VPN, any advice will be helpful.

    Thanks for your help.
    Last edited by steuk; 2013-08-28 at 06:12.

  2. #2
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: Need some help for site-to-site VPN

    I don't think you will make that work as I can't see how you can force the Site A Cluster to route all traffic up the VPN tunnel, which is what would need to do.

    If Site A was an Edge Box/Cisco then could use the Route All Traffic option on the VPN configuration on the Box and a Star VPN Commuity with VPN Routing option 3.

    Is there a particular reason you need to have access to the Internet for Site A via Site B Cluster.
    Can Site A not be allowed to access the Internet directly?

  3. #3
    Join Date
    2012-10-25
    Posts
    38
    Rep Power
    0

    Default Re: Need some help for site-to-site VPN

    Thanks for your answer.

    Users (20 people) on site A are connected to a Cisco switch, default gateway will be checkpointclusterA.
    checkpointclusterA has to reach checkpointclusterB through VPN.
    Nobody is able to go on Internet directly from site A, company reasons...
    This design is only a temporary solution.

    Why can't I route all the traffic through VPN ?

  4. #4
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    17

    Default Re: Need some help for site-to-site VPN

    If you can find an option to do that on a regular Check Point Gateway then no reason why you can't. However I have never found one, only on an Edge Device. I don't if anyone else here has found a way to do it that may be able to correct me if my experience is wrong.

    As to why Check Point don't seem to provide this option ( more then happy to be corrected if you know how to do this on a regular gateway ) then would need an answer from Check Point.

  5. #5
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    7

    Default Re: Need some help for site-to-site VPN

    Quote Originally Posted by mcnallym View Post
    If you can find an option to do that on a regular Check Point Gateway then no reason why you can't. However I have never found one, only on an Edge Device. I don't if anyone else here has found a way to do it that may be able to correct me if my experience is wrong.

    As to why Check Point don't seem to provide this option ( more then happy to be corrected if you know how to do this on a regular gateway ) then would need an answer from Check Point.
    Has this issue been tackled by anyone else by now?
    I find this very odd not to be able to solve this type of scenario with Checkpoint appliances.

  6. #6
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: Need some help for site-to-site VPN

    You configure your community as a star and:

    Advanced Settings -> VPN Routing -> "To Center or through center to other satellites, to internet and other VPN targets"

    This is the easiest way.

  7. #7
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    6

    Default Re: Need some help for site-to-site VPN

    This should be able to be easily set up. chillyjim's last post would be my first thing to check. You would not be able to effectviely put an "any" into an encryption domain, and any attempt to do so would likely cause other traffic issues.

  8. #8
    Join Date
    2014-07-31
    Posts
    11
    Rep Power
    0

    Default Re: Need some help for site-to-site VPN

    I agree with the last two posts. The VPN domain is required to create the subnet pairs within phase 2 for the site to site VPN. I have never personally used a star community to route all traffic and internet via the centre gateway, but I can't see why it would not work in this instance. If not, you could always use an internet proxy running on one site and access it from the other site via its LAN IP (VIA a IPSEC VPN)....

Similar Threads

  1. Route traffic from Office mode VPN to another network over site-to-site VPN
    By 007me in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2011-05-20, 13:19
  2. Site to site VPN between CP UTM-1 R70.40 and Dlink with dyndns
    By mirelaqssbh in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2011-04-08, 07:56
  3. Site to Site VPN not working together with Client to Site?
    By cglebbeek in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2009-12-21, 14:39
  4. VPN Topology missing - Can't enable Enterprise folder for site-to-site VPN
    By hotice_ in forum Check Point UTM-1 Edge Appliances
    Replies: 9
    Last Post: 2008-12-16, 16:25
  5. Site-to-Site VPN with SonicWall failing ph 1 - DH group mismatch
    By ChrisA in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2008-03-28, 10:29

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •