CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: VPN star community but with per peer settings?

  1. #1
    Join Date
    2017-06-23
    Posts
    2
    Rep Power
    0

    Default VPN star community but with per peer settings?

    My centre gateway runs R77.30. The satellites are mainly Juniper SRX but there is also one Fortigate.

    Currently, each peer is in its own star community and the tunnels to the various peers are up and working with no issues.

    However, there is now a requirement for the satellites to be able to route to each other. I think therefore I would need to configure a new single VPN star community containing all the existing peers and enable the VPN routing between the satellites through the centre gateway option.

    One thing though: in the GUI it looks like you can only have one set of Phase 1 / Phase 2 and Tunnel Management settings per community that then applies to all peers in that community.

    Harmonising those settings across all peers so that I can then put them into one star community poses me a problem.

    First, am I correct about the need for a single star community to get the satellite to satellite routed connectivity working and if so then secondly, is there any way to have different Phase 1 / Phase 2 and Tunnel Management settings *per peer* instead of setting it for all peers in the community simultaneously?

  2. #2
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,469
    Rep Power
    15

    Default Re: VPN star community but with per peer settings?

    For the second question, the answer is that you cannot have different VPN settings per-peer, only per-community.
    This is something that is planned to be addressed in the future.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  3. #3
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,136
    Rep Power
    11

    Default Re: VPN star community but with per peer settings?

    You do not need a single Star topology to route between different communities, however you should use meshed instead of star topologies for the different vpn's.
    Just make sure the remote VPN site has the other Site's topo in your remote topo and make sure you allow the traffic.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  4. #4
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    219
    Rep Power
    12

    Default Re: VPN star community but with per peer settings?

    As explained earlier, the community specifies common negotiations settings for all members. One option which could work for you is route-based VPNs. They involve setting up a set of virtual interfaces on the firewall, and a separate VPN community per negotiation parameter set. Anything sent out these interfaces is encrypted to the designated peer for that interface. Anything received from that a given peer is decrypted, then received again on that peer's designated interface. The negotiation parameters for the peer are determined by the VPN community, but other settings in the community are ignored. Route-based VPNs only negotiate "universal tunnels" (0.0.0.0/0.0.0.0).

    The biggest disadvantage is that they are not as commonly used. As a result, not as many people know how to troubleshoot them if something goes wrong. There also isn't as much documentation on setting them up.

    The advantage is once you have them set up, you can use plain routing to control how all of your traffic flows. They more clearly separate routing decisions from VPN decisions. The recommended step of setting the encryption domain to an empty group also gets rid of the ridiculous "According to the policy, the packet should not have been decrypted" and "Received cleartext packet within an encrypted connection" messages.
    Zimmie

  5. #5
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,185
    Rep Power
    13

    Default Re: VPN star community but with per peer settings?

    Quote Originally Posted by Bob_Zimmerman View Post
    The biggest disadvantage is that they are not as commonly used. As a result, not as many people know how to troubleshoot them if something goes wrong. There also isn't as much documentation on setting them up.

    The advantage is once you have them set up, you can use plain routing to control how all of your traffic flows. They more clearly separate routing decisions from VPN decisions. The recommended step of setting the encryption domain to an empty group also gets rid of the ridiculous "According to the policy, the packet should not have been decrypted" and "Received cleartext packet within an encrypted connection" messages.
    The biggest reason route-based VPNs aren't used was due to their incompatibility with CoreXL. This limitation has finally been lifted for R80.10 gateway.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  6. #6
    Join Date
    2017-06-23
    Posts
    2
    Rep Power
    0

    Default Re: VPN star community but with per peer settings?

    Thanks for the replies guys. Since posting things moved on slightly. I did lab testing and then live testing and got the following scenario working with no issues:

    Config:

    Domain based VPNs.
    Harmonised Phase 1 / Phase 2 settings for all peers but each satellite in its own VPN star community that only that peer and the centre gateway are members of.
    No VPN routing options enabled.

    Result:

    All satellites can route to all other satellites - in the logs I get a "VPN routing" event for traffic routed in that way.

    My question is: from reading the docs, I would expect the above to fail. However it succeeds. I don't like not understanding why something works.

    Any ideas?

Similar Threads

  1. Community VPN - peer-to-peer star
    By Paul Douglas in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2016-03-17, 08:21
  2. two peer gateways in vpn community with same subnet
    By mark weaver in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2015-04-08, 10:34
  3. Star Community - Route internet through center gateway
    By amotshaymano in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2009-03-05, 16:33
  4. RIM routes for secondary LAN in Star community
    By pbhavsar in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2008-09-19, 18:05
  5. Accessing another community from another community
    By n1troboy in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2008-07-21, 23:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •