VPN Communities - Advanced
What can I do here?
Use this window to set IKE security associations and enable NAT inside the community.
|
Getting Here - SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. > Security Policies Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. > Access Control > Policy > Access Tools > VPN Communities > New Star/Meshed Community > Advanced |
IKE and NAT inside the Community
IKE is the Internet Key Exchange protocol used in VPN for exchanging key-building material. Despite the name, keys are never actually exchanged. Only the material (random bits and mathematical data) used to build the keys are exchanged. IKE takes place in two phases.
IKE (Phase 1)
Change the default settings to alter the way the IKE Security Association is negotiated.
IPSEC (Phase 2)
Change the default settings to alter the way the IPSEC Security Association is negotiated.
Properties
Disable NAT Inside the VPN Community
Even if NAT is configured it is possible to disable NAT inside the VPN community. If NAT is disabled, when a host behind a community member opens a connection with another host behind a community member, the original IP addresses are used. Other connections use the translated address.
Use Aggressive mode
In aggressive mode, the Diffie-Hellman computation is performed parallel to authentication. A peer that is not yet authenticated can force processor intensive Diffie-Hellman computations on the other peer. Aggressive mode performs the IKE negotiation with three packets instead of six.
Support IP Compression
P compression is a process that reduces the size of the data portion of the TCP/IP packet. Such a reduction can cause significant improvement in performance. IPsec supports the Flate/DeflateIP compression algorithm. Deflate is a smart algorithm that adapts the way it compresses data to the actual data itself. Whether to use IP compression is decided during IKE phase II.
IP compression is not enabled by default. IP compression is important for SecuRemote / SecureClient users with slow links. For Example, dialup modems do compression as a way of speeding up the link. Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. encryption makes TCP/IP packets appear "mixed up". This kind of data cannot be compressed and bandwidth is lost as a result. If IP compression is enabled, packets are compressed before encryption. This has the effect of recovering the lost bandwidth.