CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


 

Results 1 to 5 of 5

Thread: How to convert traditional mode VPN policy to simplified mode VPN policy

  1. #1
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    172
    Rep Power
    5

    Default How to convert traditional mode VPN policy to simplified mode VPN policy

    We have a policy (R77.20) which uses traditional mode VPNs. We want to convert it to a policy using simplified mode VPN.
    The current policy defines roughly 80 Site-2-Site VPNs. The converted, new policy should have a dedicated VPN Domain for each Site-2-Site VPN.
    The VPNs use shared secrets. What is the simplest way do achieve that?

  2. #2
    Join Date
    2007-06-04
    Posts
    3,176
    Rep Power
    13

    Default Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    In order to convert the policy then you have to remove all existing vpn configuration, convert the policy then add the VPN configuration back in. Is a manual process. Make sure that document all of the VPN as will need to remove it.

    I presume when you say a Dedicated VPN Domain for each S2S VPN that meant community. You can still only have 1 VPN Domain on a Gateway.

  3. #3
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    172
    Rep Power
    5

    Default Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    The LAB experience shows that i can convert the policy from traditional mode to simplified mode WITHOUT removing all VPN definitions. But the conversion wizard can put all the gateways only in a single VPN Community. As far as I could see you loose the Phase 2 IPSec Parameters, which were defined in the Encrypt properties of the rule base.
    Apart from that, all Phase 1 parameters and the shared secrets are still available, since they are defined on the gateway object.

    For my case, I need to create a new VPN Community for each existing Site-2-Site and adjust the params accordingly.

    Question 1: When using the simplified mode policy, do the parameters values of the VPN community take precedence over the traditional mode parameters, which are still present on the gateway object?

    Question 2: Can we create a bunch of VPN Communitis using dbedit?

  4. #4
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    3

    Default Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    Quote Originally Posted by slowfood27 View Post
    Question 1: When using the simplified mode policy, do the parameters values of the VPN community take precedence over the traditional mode parameters, which are still present on the gateway object?

    Question 2: Can we create a bunch of VPN Communitis using dbedit?
    Answer 1: You cannot have Simplified and Traditional Mode VPNs in the same policy. So this is a moot point.

    Answer 2: Yes, you should be able to. I do not know the commands to do so though...

  5. #5
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    172
    Rep Power
    5

    Default Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    I sucessfully created a dbedit script in order to create a VPN Community. All of the required parameters are there, except the shared secret for that community.
    How can I enter the shared secret of that community with a dbedit command?

Similar Threads

  1. Convert from Simplified to Traditional mode VPN
    By v33dubya in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 9
    Last Post: 2010-07-08, 03:37
  2. Converting from traditional mode VPN to simplified mode.
    By dstubked in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2009-03-17, 18:44
  3. Another question on traditional v simplified mode
    By ChrisA in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2008-07-31, 17:30
  4. Traditional mode and simplified mode
    By philuxe in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2008-04-15, 13:37
  5. Is mixed Traditional mode and Simplified mode possible on the same SCS?
    By lammbo in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2007-09-24, 09:38

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •