CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: Domain based VPN and VTI

  1. #1
    Join Date
    2017-07-07
    Posts
    30
    Rep Power
    0

    Default Domain based VPN and VTI

    Hello, do DBV and VTI can work in compatible mode? I mean that with one GW work with VTY and other GW based on domain(configured via SmartConsole) in different Communities?
    Check Point CCSA/CCSE/CCSE+
    Cisco CCNP/CCSP

  2. #2
    Join Date
    2007-06-04
    Posts
    3,276
    Rep Power
    16

    Default Re: Domain based VPN and VTI

    Yes you can

    Define YOUR Gateway with an Encryption Domain ( so can do Domain Based VPN )
    Define 1st Remote Gateway with an Encryption Domain ( so can do Domain Based VPN )
    Define 2nd Remote Gateway as a Route Based VPN with VTI.
    Configure VTI on YOUR Gateway as well.


    Your Gateway to 1st Gateway = Domain

    Your Gateway to 2nd Gateway = Route Based

    Your Gateway looks at the config of the Remote Gateway to determine if is Route Based or Domain Based. If Empty Group then will see as Route Based and use the VTI assuming you configured VTI and Routing correctly. If there is a Group containing object in the Enc Domain of the Remote Gateway then will do a Domain Based.

  3. #3
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    265
    Rep Power
    12

    Default Re: Domain based VPN and VTI

    I thought I would add a technical explanation of why this works.

    Domain-based VPN decisions are made very early in the process of handling a packet. If the source is in my encryption domain and the destination is in a peer's encryption domain, the packet gets flagged for encryption to that peer.

    Route-based VPN decisions are made very late. Specifically, they are made when a packet is "clocked out" of the VTI on the firewall. As such, a VTI acts like it's connected straight to the peer with a really long Ethernet cable. Traffic sent over a VTI does not match rules which require a particular VPN community.

    If the packet is flagged for domain-based VPN and it gets sent out a VTI, it tries to double-encrypt, and it fails. For a route-based VPN decision to work, you need the packet to not trigger a domain-based VPN. This means you need either the source to not be in my encryption domain or the destination to not be in the peer's. Setting the peer's encryption domain to an empty group is generally the easiest way to force this. Since you can break the VPN decision at either the local end or the peer end, you can leave a normal encryption domain on your local end and still use other domain-based peers.

    Once you have avoided the domain-based VPN decision, you just need the routing table to send the traffic to the VTI stub.



    This early domain-based VPN decision is also what leads to "According to the policy, the packet should not have been decrypted", or "Received cleartext packet inside an encrypted connection". Those are effectively the domain-based VPN version of antispoofing.
    Zimmie

  4. #4
    Join Date
    2017-07-07
    Posts
    30
    Rep Power
    0

    Default Re: Domain based VPN and VTI

    Thanks for explanation. Can I change source interface in VTI? Or it defines in empty VPN community?
    Check Point CCSA/CCSE/CCSE+
    Cisco CCNP/CCSP

  5. #5
    Join Date
    2007-06-04
    Posts
    3,276
    Rep Power
    16

    Default Re: Domain based VPN and VTI

    Quote Originally Posted by Serge17 View Post
    Thanks for explanation. Can I change source interface in VTI? Or it defines in empty VPN community?
    Can you elaborate further as to the question as not quite sure what asking.

  6. #6
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    265
    Rep Power
    12

    Default Re: Domain based VPN and VTI

    Quote Originally Posted by Serge17 View Post
    Thanks for explanation. Can I change source interface in VTI? Or it defines in empty VPN community?
    Outgoing link selection is kind of weird. With domain-based VPNs, the traffic is modified in-flight, so the routing decision is made, then the packet is encrypted. For outgoing traffic, you get clear i, clear I, clear o on the selected outgoing interface, encrypted O. The outgoing link selection settings act a little like policy-based routing.

    With VTIs, everything is done purely with the routing table. You get clear i, clear I, clear o on the VTI, clear O on the VTI, then encrypted o on the outgoing interface, and finally encrypted O on the outgoing interface. The encrypted traffic (and the negotiation traffic before it) is sent just like connections the firewall is initiating. If you want it to take a particular link, you need to have real, OS-level routes pointing the peer gateway IP out that link.
    Zimmie

Similar Threads

  1. Show routing table on Domain Based VPNs
    By nickliako in forum R80.10
    Replies: 2
    Last Post: 2 Weeks Ago, 07:58
  2. Implementing Route based VPN & Domain based VPN on same gateway cluster
    By jakefury in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2015-11-05, 09:30
  3. Domain based policy
    By datta in forum SmartDirectory/LDAP/Active Directory
    Replies: 2
    Last Post: 2011-05-10, 03:18
  4. doubt abt permanent tunnels in domain based vpn
    By sebastan_bach in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2008-07-08, 06:44
  5. strange behaviour with domain based vpns help pls
    By sebastan_bach in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2008-06-11, 09:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •