CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E


Results 1 to 3 of 3

Thread: VPN from Checkpoint to Cisco ASA - Route based

  1. #1
    Join Date
    Rep Power

    Default VPN from Checkpoint to Cisco ASA - Route based

    Hi All
    First of all, I need to know if on a Checkpoint Firewall, is it still the case that if you build a VPN based on community etc, you can only have 1 VPN domain for the whole firewall, so for example if I have a Checkpoint Firewall that I need to connect to 2 different sites, do they all use the same source network to build the vpn tunnels? can this not be changed on a per vpn basis? for example on my Cisco ASA's I can use whatever source network I want to build the tunnel.

    If this is still the case, then is my only option to use the route based VPN option on the Checkpoint?

    If so, can I use the Checkpoints external IP as the source and the peers External IP as the destination IP to build the VPN tunnel?, would this be done by creating a VPN interface on Gaia, use unnumbered and select the outside interface, put the peer as the vpn peer public IP, would you then add a route on the firewall pointing whatever traffic you want through it?
    I believe if you do this the checkpoint would present the network as a subnet ID to my peer? my peer would be an ASA. The on my asa may cause some issues so I don't really want it to do that.

    Any help would be appreciated


  2. #2
    Join Date
    Rep Power

    Default Re: VPN from Checkpoint to Cisco ASA - Route based

    route based vpn (VTI in checkpoint) uses an empty encryption domain with basically a for src and dst tunnel. Anything routed to the interface would be sucked into the vpn. Are you mixing domain and route based? I haven't done it myself but i *think* VTI just basically ignore encryption domain.

  3. #3
    Join Date
    DFW, TX
    Rep Power

    Default Re: VPN from Checkpoint to Cisco ASA - Route based

    I think I just answered a few of these questions in another thread:


    Technically, you can have two encryption domains per firewall object: one for site-to-site, and one for remote-access. This doesn't really map to anything in the Cisco world, though. The encryption domain needs to contain every network which will ever trigger VPN negotiation, but the firewall only negotiates what is actually used. That is, you can have,,, and so on in your encryption domain and in a peer's, and if you only have rules to allow to reach, only that will be proposed.

    You can also NAT traffic over a VPN such that dissimilar networks behind the Check Point look the same to different peers. To do this, you need the real network and the NATed network in the encryption domain. The real network is needed to trigger the early encryption decision, then NAT happens, then the NATed network is needed for the negotiation.

    You can control VPN negotiations in great detail using user.def, but I strongly recommend controlling them with the encryption domain if you are able. You will generally get the best results doing this by setting ike_use_largest_possible_subnets to false. Directions are on Check Point's support site.

    Edited to add: Forgot to mention. With ike_use_largest disabled, your VPN negotiations should match exact object definitions in your encryption domains. Using the earlier networks, that means if your rule allows to reach, the negotiation will be to If you have in your encryption domain, that would be used instead.
    Last edited by Bob_Zimmerman; 2018-11-14 at 13:54.

Similar Threads

  1. Route Based VPN with Cisco router
    By ankda14 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2018-07-19, 10:42
  2. Checkpoint 5200 Maximum Number of VPN Tunnels (route based )
    By Tsubasa in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2017-02-11, 11:31
  3. Route based vs policy based vpn
    By iamramu92 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2016-11-23, 06:32
  4. Implementing Route based VPN & Domain based VPN on same gateway cluster
    By jakefury in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2015-11-05, 09:30
  5. How to establish route-based routing between IP60 and IPSO based IP560
    By redbear in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 4
    Last Post: 2007-09-26, 00:37


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts