CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 13 of 13

Thread: How to convert traditional mode VPN policy to simplified mode VPN policy

  1. #1
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    223
    Rep Power
    6

    Default How to convert traditional mode VPN policy to simplified mode VPN policy

    We have a policy (R77.20) which uses traditional mode VPNs. We want to convert it to a policy using simplified mode VPN.
    The current policy defines roughly 80 Site-2-Site VPNs. The converted, new policy should have a dedicated VPN Domain for each Site-2-Site VPN.
    The VPNs use shared secrets. What is the simplest way do achieve that?

  2. #2
    Join Date
    2007-06-04
    Posts
    3,241
    Rep Power
    15

    Default Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    In order to convert the policy then you have to remove all existing vpn configuration, convert the policy then add the VPN configuration back in. Is a manual process. Make sure that document all of the VPN as will need to remove it.

    I presume when you say a Dedicated VPN Domain for each S2S VPN that meant community. You can still only have 1 VPN Domain on a Gateway.

  3. #3
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    223
    Rep Power
    6

    Default Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    The LAB experience shows that i can convert the policy from traditional mode to simplified mode WITHOUT removing all VPN definitions. But the conversion wizard can put all the gateways only in a single VPN Community. As far as I could see you loose the Phase 2 IPSec Parameters, which were defined in the Encrypt properties of the rule base.
    Apart from that, all Phase 1 parameters and the shared secrets are still available, since they are defined on the gateway object.

    For my case, I need to create a new VPN Community for each existing Site-2-Site and adjust the params accordingly.

    Question 1: When using the simplified mode policy, do the parameters values of the VPN community take precedence over the traditional mode parameters, which are still present on the gateway object?

    Question 2: Can we create a bunch of VPN Communitis using dbedit?

  4. #4
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    4

    Default Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    Quote Originally Posted by slowfood27 View Post
    Question 1: When using the simplified mode policy, do the parameters values of the VPN community take precedence over the traditional mode parameters, which are still present on the gateway object?

    Question 2: Can we create a bunch of VPN Communitis using dbedit?
    Answer 1: You cannot have Simplified and Traditional Mode VPNs in the same policy. So this is a moot point.

    Answer 2: Yes, you should be able to. I do not know the commands to do so though...

  5. #5
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    223
    Rep Power
    6

    Default Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    I sucessfully created a dbedit script in order to create a VPN Community. All of the required parameters are there, except the shared secret for that community.
    How can I enter the shared secret of that community with a dbedit command?

  6. #6
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    223
    Rep Power
    6

    Default Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    While testing the new, converted policy we had some side effects we can't explain.
    We have all site to site VPN rules at the top of the policy.
    Somewhere further down, we have the following rule:

    Source: 172.16.186.0 (which is part of the encryption domain of our local gateway)
    Destination: any
    Service: any

    With the traditional mode VPN Setup, the rule above gets fired unencrypted, as expected.
    With the simplified mode policy, the firewall tries to encrypt connections within its own encryption domain, which of course fails, since there is no valid SA

    Example:
    Source: 172.16.186.55 (part of the local encryption domain)
    Destination: 192.168.99.33 (part of the local encryption domain)
    service: nbsession

    Any ideas why that connection is treated "encrypt"?

  7. #7
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,005
    Rep Power
    13

    Default Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    the process of conversion is thoroughly described in Check Point VPN admin guide: https://sc1.checkpoint.com/documents...uide/13941.htm
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  8. #8
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,082
    Rep Power
    12

    Default Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    Also just FYI the tool used to convert Traditional Mode VPNs to Simplified Mode VPNs no longer exists in R80 management and later, so the time to make the conversion from Traditional to Simplified Mode VPN is *before* upgrading management to R80+.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  9. #9
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    223
    Rep Power
    6

    Default Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    Thanks folks for your input
    The policy is now converted and clean, it will go live soon
    The problems we had were caused by 2 elements:

    1. A partners encryption domain overlapped with internal networks
    2. Each community needs encryption exclusion for the IPSec Protocols

  10. #10
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    636
    Rep Power
    5

    Default Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    Quote Originally Posted by slowfood27 View Post
    Thanks folks for your input[*]Each community needs encryption exclusion for the IPSec Protocols[/LIST]
    What do you mean by that?

  11. #11
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    223
    Rep Power
    6

    Default Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    Quote Originally Posted by laf_c View Post
    What do you mean by that?
    It means that you cannot encrypt everything within your community. Before the VPN Tunnel is established (or needs to be re-established) the 2 gateways need to exchange the relavent parameters using the IKE protocol. And this Protocol (udp port 500) must be defined in the advanced section --> Excluded Services

  12. #12
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    223
    Rep Power
    6

    Default Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    After converting the policy from traditional to simplified mode, we run into a weird problem we didn't have before.

    We have a site to site VPN with HPE, and its encryption domain consists of a single public IP adress 131.124.93.147.
    Additionally, internal users access the Internet HP Portal (via our DMZ Proxy) , which has the same public address 131.124.93.147

    With traditional mode, this constellation worked. With traditional mode, the gateway tries to encrypt everything with the destination address 131.124.93.147, regardless of the Services defined in the policy.
    As a result, the un-encrypted access to the public portal doesn't work anymore.

    Any ideas?

  13. #13
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    223
    Rep Power
    6

    Default Re: How to convert traditional mode VPN policy to simplified mode VPN policy

    Solved

    this is one of th nasty "features" of simplified mode, that VPN is always preferred over any other rule, where source and destination match.
    The get the stuff running, we had to add an exclusion for the https protocol

Similar Threads

  1. Convert from Simplified to Traditional mode VPN
    By v33dubya in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 9
    Last Post: 2010-07-08, 03:37
  2. Converting from traditional mode VPN to simplified mode.
    By dstubked in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2009-03-17, 18:44
  3. Another question on traditional v simplified mode
    By ChrisA in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2008-07-31, 17:30
  4. Traditional mode and simplified mode
    By philuxe in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2008-04-15, 13:37
  5. Is mixed Traditional mode and Simplified mode possible on the same SCS?
    By lammbo in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2007-09-24, 09:38

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •