CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: Route based vs policy based vpn

  1. #1
    Join Date
    2015-03-31
    Posts
    43
    Rep Power
    0

    Default Route based vs policy based vpn

    Hi Team,
    Can we run route based vpn and policy based vpn on the same firewall???

    Regards,
    Ram T S

  2. #2
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: Route based vs policy based vpn

    Quote Originally Posted by iamramu92 View Post
    Hi Team,
    Can we run route based vpn and policy based vpn on the same firewall???

    Regards,
    Ram T S
    No
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  3. #3
    Join Date
    2007-06-04
    Posts
    3,301
    Rep Power
    17

    Default Re: Route based vs policy based vpn

    Yes you can.

    Define 3 Gateways

    1st Gateway and define an Encryption Domain, populate with Networks behind the gateway

    2nd Gateway and define an Encryption Domain, populate with Networks behind the gateway

    3rd Gateway and define and Encryption Domain that is an Empty Group.

    Define VTI on 1st and 3rd Gateways and build Route Based VPN between 1st and 3rd

    Build a Domain Based VPN between Gateway 1 and 2

    Although you have an Encryption Domain defined on gateway 1 as building a VPN to gateway 3 that has an empty group then will use a Route Based VPN to Gateway 3 If you specify Gateway 3's enc domain with Networks in it then even though you have all the VTI in place etc then Gateway 1 to 3 VPN would become a Domain Based instead.

    Yes I do actually have this in use for a Customer. Uses Domain based VPN's between internal gateways and Route Based from same gateway to AWS. Simply define AWS Gateways with Empty Group.

  4. #4
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: Route based vs policy based vpn

    Quote Originally Posted by mcnallym View Post
    Yes you can.

    Define 3 Gateways

    1st Gateway and define an Encryption Domain, populate with Networks behind the gateway

    2nd Gateway and define an Encryption Domain, populate with Networks behind the gateway

    3rd Gateway and define and Encryption Domain that is an Empty Group.

    Define VTI on 1st and 3rd Gateways and build Route Based VPN between 1st and 3rd

    Build a Domain Based VPN between Gateway 1 and 2

    Although you have an Encryption Domain defined on gateway 1 as building a VPN to gateway 3 that has an empty group then will use a Route Based VPN to Gateway 3 If you specify Gateway 3's enc domain with Networks in it then even though you have all the VTI in place etc then Gateway 1 to 3 VPN would become a Domain Based instead.

    Yes I do actually have this in use for a Customer. Uses Domain based VPN's between internal gateways and Route Based from same gateway to AWS. Simply define AWS Gateways with Empty Group.
    Right, and domain-based VPN will always take precedence over route-based VPN. So if the source of candidate traffic falls into the sending firewall's VPN domain and the destination falls into a peer's VPN domain, the traffic will be "interesting" and encrypted into the associated VPN tunnel. However if domain-based VPN does not deem the traffic "interesting" (due to an empty group in one of the peers' VPN domains) the traffic can still be deemed interesting by route-based VPN, through the action of IP routing determining that the next hop to reach a remote network is via a VTI instead of a physical/logical interface like ethX.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  5. #5
    Join Date
    2015-03-31
    Posts
    43
    Rep Power
    0

    Default Re: Route based vs policy based vpn

    Thanks a lot for the information team. Let me configure and get back in case of any discrepancies.


    Regards,
    Ram T S

  6. #6
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: Route based vs policy based vpn

    Quote Originally Posted by mcnallym View Post
    Yes you can.

    Define 3 Gateways

    1st Gateway and define an Encryption Domain, populate with Networks behind the gateway

    2nd Gateway and define an Encryption Domain, populate with Networks behind the gateway

    3rd Gateway and define and Encryption Domain that is an Empty Group.

    Define VTI on 1st and 3rd Gateways and build Route Based VPN between 1st and 3rd

    Build a Domain Based VPN between Gateway 1 and 2

    Although you have an Encryption Domain defined on gateway 1 as building a VPN to gateway 3 that has an empty group then will use a Route Based VPN to Gateway 3 If you specify Gateway 3's enc domain with Networks in it then even though you have all the VTI in place etc then Gateway 1 to 3 VPN would become a Domain Based instead.

    Yes I do actually have this in use for a Customer. Uses Domain based VPN's between internal gateways and Route Based from same gateway to AWS. Simply define AWS Gateways with Empty Group.
    Thanks, I did not think about this option.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

Similar Threads

  1. Implementing Route based VPN & Domain based VPN on same gateway cluster
    By jakefury in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2015-11-05, 09:30
  2. Route Based VPN (with OSPF)
    By Testing-123 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2011-01-06, 18:19
  3. Route based VPN between CP NGX R60 and PIX
    By Nightwalker_z in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 8
    Last Post: 2008-11-02, 16:32
  4. Route based vpn
    By Routerkid1 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2008-01-28, 11:20
  5. How to establish route-based routing between IP60 and IPSO based IP560
    By redbear in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 4
    Last Post: 2007-09-26, 00:37

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •