CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 2 of 2

Thread: Any interruption if I add the interesting traffic into the existing site2site tunnel

  1. #1
    Join Date
    2017-03-06
    Posts
    2
    Rep Power
    0

    Default Any interruption if I add the interesting traffic into the existing site2site tunnel

    I would like to add the new interesting traffic into the existing IPsev VPN tunnel. However, I afraid that it will trigger service interruption, does anyone have experience on this?

    The site to site VPN forms between "R75.40 Gaia Checkpoint" and "Oracle Cloud".

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    342
    Rep Power
    14

    Default Re: Any interruption if I add the interesting traffic into the existing site2site tun

    IPSec VPNs are negotiated by the gateways for pairs of endpoints. An "endpoint" in this context can be a single host or a network (including the network 0.0.0.0/0, which includes all IPv4 addresses).

    Traffic between existing endpoints on a new port won't change anything about the negotiation. You may need to update some rules to get the traffic to go over the VPN.

    Adding a new endpoint on either side will result in new negotiations, but should not change existing negotiations. You would need to update both sides with knowledge of the new endpoint, but the negotiation parameters should be applied at the gateway level, so should not need to be changed.

    The exception to this is supernetting. Check Point sometimes combines nearby endpoints into a larger network which encompasses both. This lets the firewall negotiate and track fewer keys. I have only seen this affect endpoints which are adjacent to one another as defined in the encryption domain. That is, 10.20.30.0/24 and 10.20.31.0/24 might be combined into 10.20.30.0/23, but 10.20.30.0/24 and 10.20.32.0/24 would not be combined.



    Be sure to enable IKE debugging (vpn debug ikon) at least 24 hours before making VPN changes. This will let it record your existing, working negotiations. If the changes break something, you can use IKEView to see what changed.

Similar Threads

  1. Redundant Domain-Based Site2Site IPSEC tunnel
    By nickliako in forum R80.10
    Replies: 3
    Last Post: 2019-01-15, 14:19
  2. Traffic not going through the VPN tunnel
    By Mangurrin in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2017-11-24, 11:15
  3. HOW TO IDENTIFY TRAFFIC USING IPSEC TUNNEL AND NON TUNNEL TRAFFIC ON CHECKPOINT SMART
    By gbollyd in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 4
    Last Post: 2011-09-21, 09:10
  4. Understanding VPNs, "interesting traffic" and encryption rules
    By v33dubya in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 8
    Last Post: 2010-11-17, 20:20
  5. SecureClient disconnected when site2site vpn tunnel up
    By anakalem in forum SecureClient/SecuRemote
    Replies: 3
    Last Post: 2008-01-24, 06:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •