CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: Centrally managed remote cluster + VPN site to site

  1. #1
    Join Date
    2015-05-26
    Posts
    34
    Rep Power
    0

    Default Centrally managed remote cluster + VPN site to site

    Hi all,

    I need help to understand how to configure correctly a site to site VPN to a centrally managed remote cluster.
    I'll try to be as clear as possible:

    HEADQUARTERS:

    - 2 CheckPoint appliances 2200 configured as clusterXL
    - 1 virtual Management

    BRANCH OFFICE:

    - 2 CheckPoint appliances 1430 configured as clusterXL, managed from the headquarters

    I managed to complete the configuration of the remote cluster, so I can reach the nodes, install policies, bla bla and they can contact the management server on the HQ clusterXL's public IP.
    The problem is that now I need to configure a site to site VPN between these sites, and as soon as I install the policy with the new VPN community, I lose the connection with the remote nodes (SIC, ping, everything..) and the only thing I can do is a "fw unloadlocal" on the nodes.

    I must say that I have another very similar configuration working with another customer, where the management server has been NATted with a dedicated public IP.
    So the first question is: is this really necessary? Because at that point I'm "wasting" 4 public IP only to manage the firewall infrastructure!
    Isn't possible to just exclude some services from the S2S VPN, in order to make the management to be reachable by the remote nodes on the regular cluster public IP?

    I guess that since the management has a LAN IP within the HQ's VPN domain, as soon as the VPN "starts working" during the policy installation, all the traffic is sent through the VPN itself; But I'm not sure if the problem is this and how to solve it (which setting to change).

    I can't find any documentation about this and even the support gave me just suggestions and not a official best practice for this type of setting.

    Thanks

  2. #2
    Join Date
    2007-06-04
    Posts
    3,304
    Rep Power
    17

    Default Re: Centrally managed remote cluster + VPN site to site

    OK your issue is that your Management Server sits inside the Firewall that has the VPN to the 14x0 Cluster. Check Point always adds the Gateway IP into the VPN

    As such when you push the VPN out then it will see the connectivity to the Gateways over the VPN.

    As such what you need to do is follow sk25675 to exclude the 14x0 and Cluster IP from the VPN using the crypt.def file

    sk98241 is the SK article that details the location of the crypt.def file to work on

    What this will do is tell the Central Location to NOT encrypt to the Gateway IP, so that will remain over the Internet rather then try and encrypt over the VPN Tunne.

  3. #3
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,146
    Rep Power
    13

    Default Re: Centrally managed remote cluster + VPN site to site

    Make you exclude the Check Point services (ports 256 and 257) that take care of the Management traffic from the mangement server and the log towards the management server.

    Service exclusion is in the IP-Sec community under Advanced Settings - Excluded services, that is the easier way. Normally this traffic should not pass through the tunnel anyway.

    Make sure you did not disable the management access to the gateways in the global properties of the management server.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  4. #4
    Join Date
    2015-05-26
    Posts
    34
    Rep Power
    0

    Default Re: Centrally managed remote cluster + VPN site to site

    Thank you very much for your suggestions, I'll give a try soon!

  5. #5
    Join Date
    2015-05-26
    Posts
    34
    Rep Power
    0

    Default Re: Centrally managed remote cluster + VPN site to site

    Ok so guys,

    I had to NAT the management behind a public IP, reset the SIC and point the remote nodes to that public IP.
    The SIC was re-established and then I've been able to create a S2S VPN without any special configuration.

    I've been lucky because the customer had a free IP.

    Thanks for your suggestions!

Similar Threads

  1. Cisco LWAP not working at remote site to site VPN offices
    By Oerlikon in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2017-05-15, 10:20
  2. Remote Users connect to Site A thru Site B
    By sodey in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2010-01-22, 14:46
  3. UTM-1 270 + Edge X Site to Site no access to remote LAN
    By sleight in forum Check Point UTM-1 Appliances
    Replies: 1
    Last Post: 2009-09-25, 14:00
  4. Site-to-Site with externally managed dynamic IP VPN1 Edge
    By rubber_chicken in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2007-11-11, 16:09
  5. Site-to-Site, Multiple Networks Behind Remote Gateway
    By runcmd in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2007-02-13, 12:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •