CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: site to site vpn

  1. #1
    Join Date
    2018-03-02
    Posts
    3
    Rep Power
    0

    Default site to site vpn

    Hello

    I am going to create a tunnel between a checkpoint and Meraki appliance.

    I just wanted to check if there is anything specific I have to create on the Checkpoint side?

    I know the Meraki is pretty straight forward but can have a hissy fit if the 3rd party fw isn't correct with config.

    Thank you,

    A

  2. #2
    Join Date
    2006-09-26
    Posts
    3,130
    Rep Power
    15

    Default Re: site to site vpn

    Quote Originally Posted by AshC73 View Post
    Hello

    I am going to create a tunnel between a checkpoint and Meraki appliance.

    I just wanted to check if there is anything specific I have to create on the Checkpoint side?

    I know the Meraki is pretty straight forward but can have a hissy fit if the 3rd party fw isn't correct with config.

    Thank you,

    A
    None. VPN site-to-site is very straight forward, IMHO

  3. #3
    Join Date
    2018-03-02
    Posts
    3
    Rep Power
    0

    Default Re: site to site vpn

    Thank you.

  4. #4
    Join Date
    2007-06-04
    Posts
    3,267
    Rep Power
    16

    Default Re: site to site vpn

    Key thing to make sure is that in connecting with a Non-Check Point gateway that the Phase 2 negotiations are correct in terms of what the Meraki is expecting.

    ie that the Check Point doesn't supernet individual subnets into a larger single subnet that covers multiple networks.

    Check Point will be happy with this however if the 3rd Party is expecting 10.10.0.0/24, 10.10.1.0/24 and instead gets 10.10.0.0/23 from the Check Point then the Phase 2 fails

    sk108600 Scenario 1 covers this off and is worth reading. user.def file to edit depends upon the software version.

  5. #5
    Join Date
    2018-03-02
    Posts
    3
    Rep Power
    0

    Default Re: site to site vpn

    Thanks Guys,

    Tunnel is up and working fine.

  6. #6
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    207
    Rep Power
    12

    Default Re: site to site vpn

    It may also be worth noting that you can use debit (either GUI or non) to set ike_use_largest_possible_subnets to false to disable the supernetting behavior. If you do that, the firewall will, by default, propose only exact objects which are in its encryption domain group. I prefer this method, since it yields only one place to configure things which should cross the VPN. It's easy to forget manual modifications to files.
    Zimmie

Similar Threads

  1. TCP/UDP connections fail through Site-to-Site IPSec VPN - Check Point 1100
    By DawidK in forum Check Point Series 80/1100 Appliances
    Replies: 4
    Last Post: 2015-12-09, 10:24
  2. Replies: 4
    Last Post: 2013-10-25, 14:55
  3. VPN site to site tunnel route all traffic through gateway stops working
    By EarthJuice in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2013-09-12, 11:16
  4. Checkpoint 4600 To Cisco 5505 ASA Site to Site IPSec Help
    By jg93635 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2013-08-21, 17:37
  5. Site to Site VPN not working together with Client to Site?
    By cglebbeek in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2009-12-21, 14:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •