CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: VPN from Checkpoint to Cisco ASA - Route based

  1. #1
    Join Date
    2012-08-29
    Posts
    80
    Rep Power
    7

    Default VPN from Checkpoint to Cisco ASA - Route based

    Hi All
    First of all, I need to know if on a Checkpoint Firewall, is it still the case that if you build a VPN based on community etc, you can only have 1 VPN domain for the whole firewall, so for example if I have a Checkpoint Firewall that I need to connect to 2 different sites, do they all use the same source network to build the vpn tunnels? can this not be changed on a per vpn basis? for example on my Cisco ASA's I can use whatever source network I want to build the tunnel.


    If this is still the case, then is my only option to use the route based VPN option on the Checkpoint?


    If so, can I use the Checkpoints external IP as the source and the peers External IP as the destination IP to build the VPN tunnel?, would this be done by creating a VPN interface on Gaia, use unnumbered and select the outside interface, put the peer as the vpn peer public IP, would you then add a route on the firewall pointing whatever traffic you want through it?
    I believe if you do this the checkpoint would present the 0.0.0.0 network as a subnet ID to my peer? my peer would be an ASA. The 0.0.0.0 on my asa may cause some issues so I don't really want it to do that.


    Any help would be appreciated

    cheers

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,637
    Rep Power
    9

    Default Re: VPN from Checkpoint to Cisco ASA - Route based

    route based vpn (VTI in checkpoint) uses an empty encryption domain with basically a 0.0.0.0/0 for src and dst tunnel. Anything routed to the interface would be sucked into the vpn. Are you mixing domain and route based? I haven't done it myself but i *think* VTI just basically ignore encryption domain.

  3. #3
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    272
    Rep Power
    12

    Default Re: VPN from Checkpoint to Cisco ASA - Route based

    I think I just answered a few of these questions in another thread:

    https://www.cpug.org/forums/showthre...ed-VPN-and-VTI

    Technically, you can have two encryption domains per firewall object: one for site-to-site, and one for remote-access. This doesn't really map to anything in the Cisco world, though. The encryption domain needs to contain every network which will ever trigger VPN negotiation, but the firewall only negotiates what is actually used. That is, you can have 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24, and so on in your encryption domain and 192.168.0.0/24 in a peer's, and if you only have rules to allow 10.0.1.0/24 to reach 192.168.0.0/24, only that will be proposed.

    You can also NAT traffic over a VPN such that dissimilar networks behind the Check Point look the same to different peers. To do this, you need the real network and the NATed network in the encryption domain. The real network is needed to trigger the early encryption decision, then NAT happens, then the NATed network is needed for the negotiation.

    You can control VPN negotiations in great detail using user.def, but I strongly recommend controlling them with the encryption domain if you are able. You will generally get the best results doing this by setting ike_use_largest_possible_subnets to false. Directions are on Check Point's support site.

    Edited to add: Forgot to mention. With ike_use_largest disabled, your VPN negotiations should match exact object definitions in your encryption domains. Using the earlier networks, that means if your rule allows 10.0.1.2 to reach 192.168.0.37, the negotiation will be 10.0.1.0/24 to 192.168.0.0/24. If you have 10.0.1.0/25 in your encryption domain, that would be used instead.
    Last edited by Bob_Zimmerman; 4 Weeks Ago at 13:54.
    Zimmie

Similar Threads

  1. Route Based VPN with Cisco router
    By ankda14 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2018-07-19, 10:42
  2. Checkpoint 5200 Maximum Number of VPN Tunnels (route based )
    By Tsubasa in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2017-02-11, 11:31
  3. Route based vs policy based vpn
    By iamramu92 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2016-11-23, 06:32
  4. Implementing Route based VPN & Domain based VPN on same gateway cluster
    By jakefury in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2015-11-05, 09:30
  5. How to establish route-based routing between IP60 and IPSO based IP560
    By redbear in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 4
    Last Post: 2007-09-26, 00:37

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •