Domain-Based VPN

Overview of Domain-based VPN

Domain-Based VPN controls how VPN traffic is routed between Security Gateways within a community. To route traffic to a host behind a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., you must first define the VPN domain for that Security Gateway. Configuration for VPN routing is done with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. or in the VPN routing configuration files on the Security Gateways.

In this figure, one of the host machines behind Security Gateway "A" tries to connect to a host computer behind Security Gateway "B". For technical or policy reasons, Security Gateway "A" cannot establish a VPN tunnel with Security Gateway "B". With VPN Routing, Security Gateways "A" and "B" can establish VPN tunnels through Security Gateway "C".

Legend

Item

Description

A

Security Gateway "A"

B

Security Gateway "B"

C

Security Gateway "C"

VPN Routing and Access Control

VPN routing connections are subject to the same access control rules as any other connection. If VPN routing is correctly configured but a Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. exists that does not allow the connection, the connection is dropped. For example: a Security Gateway has a rule which forbids all FTP traffic from inside the internal network to anywhere outside. When a peer Security Gateway opens an FTP connection with this Security Gateway, the connection is dropped.

For VPN routing to succeed, a single rule in the Security Policy Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. must cover traffic in both directions, inbound and outbound, and on the central Security Gateway. To configure this rule, see Configuring VPN Routing for Security Gateways in SmartConsole.

Configuring VPN Routing in Domain-Based VPN

Configure most common VPN routing scenarios through a Star VPN CommunityClosed A named collection of VPN domains, each protected by a VPN gateway. in SmartConsole.

You can also configure VPN routing between Security Gateways in the corresponding vpn_route.conf file that is configured on the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

You can only configure VPN routing between Security Gateways that belong to a VPN Community.

Configuring VPN Routing for Security Gateways in SmartConsole

  1. In the Star Community object:

    1. In the Center Gateways section, select the Security Gateway that functions as the "Hub".

    2. In the Satellite Gateways section, select Security Gateways as the "spokes", or satellites.

  2. On the VPN Routing page, in the Enable VPN routing for satellites section, select one of these options:

    • To center and to other Satellites through center - This allows connectivity between the Security Gateways, for example if the spoke Security Gateways have dynamically assigned IP addresses, and the Hub is a Security Gateway with a static IP address.

    • To center, or through the center to other satellites, to internet and other VPN targets - This allows connectivity between the Security Gateways as well as the ability to inspect all communication passing through the Hub to the Internet.

  3. Create the applicable Access Control Policy rules.

    Remember: These rules must allow traffic in both directions.

  4. NAT the satellite Security Gateways on the Hub, if the Hub is used to route connections from Satellites to the Internet.

Configuration in the VPN Configuration File 'vpn_route.conf'

For more granular control over VPN routing, edit the corresponding vpn_route.conf file on the Management Server.

Important - On the Management Server, you must edit this file in the correct Backward Compatibility directory. See the summary table below (Location of the 'vpn_route.conf' files on the Management Server)

The configuration file, vpn_route.conf, is a text file that contains the name of network objects.

The format is: Destination, Next hop, Install on Security Gateway (with tabbed spaces separating the elements).

Consider a simple VPN routing scenario consisting of Center gateway (hub) and two Satellite gateways (spokes). All machines are controlled from the same Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server., and all the Security Gateways are members of the same VPN Community. Only Telnet and FTP services are to be encrypted between the Satellites and routed through the Center.

Although you can do this easily in a Star VPN Community, you can achieve the same goal if you edit the corresponding vpn_route.conf file:

Destination

Next hop router interface

Install on

Spoke_B_VPN_Dom

Hub_C

Spoke_A

Spoke_A_VPN_Dom

Hub_C

Spoke_B

In this example:

  • "Spoke_B_VPN_Dom" is the name of the network object that represents the VPN domain of spoke "B".

  • "Hub_C" is the name of the Security Gateway enabled for VPN routing.

  • "Spoke_B_VPN_Dom" is the name of the network object that represents the VPN domain of spoke "A".

Example of the file contents (values are separated with spaces):

Spoke_B_VPN_DOM Hub_C Spoke_A

Spoke_A_VPN_DOM Hub_C Spoke_B

The 'vpn_route.conf' files contain the configuration for Domain-Based Site to Site VPNClosed An encrypted tunnel between two or more Security Gateways. Synonym: Site-to-Site VPN. Contractions: S2S VPN, S-to-S VPN..

Important:

  • You must edit this file in the context of the applicable Domain Management Server.

    To go to the required context, use the command:

    mdsenv <IP Address or Name of Domain Management Server>

  • If the required file does not exist, create a copy of the $FWDIR/conf/vpn_route.conf file, rename it, and edit it.

Location of files on an R82 Security Management Server and a Domain Management Server:

Version of the Target Security Gateway

Location of the File

R82

$FWDIR/conf/vpn_route.conf

$MDSDIR/customers/<Name_of_Domain>/CPsuite-R82/fw1/conf/vpn_route.conf

R81.20

/opt/CPR8120CMP-R82/conf/vpn_route.conf

$MDSDIR/customers/<Name_of_Domain>/CPR8120CMP-R82/conf/vpn_route.conf

R81.10

/opt/CPR8120CMP-R82/conf/vpn_route.conf

$MDSDIR/customers/<Name_of_Domain>/CPR8120CMP-R82/conf/vpn_route.conf

R81.10.x on Quantum Spark Appliances 1500 / 1600 / 1800

/opt/CPSFWR81CMP-R82/conf/vpn_route.conf

/opt/CPmds-R82/customers/<Name_of_Domain>/CPSFWR81CMP-R82/conf/vpn_route.conf

R81

/opt/CPR8120CMP-R82/conf/vpn_route.conf

$MDSDIR/customers/<Name_of_Domain>/CPR8120CMP-R82/conf/vpn_route.conf

R80.40

/opt/CPR8040CMP-R82/conf/vpn_route.conf

$MDSDIR/customers/<Name_of_Domain>/CPR8040CMP-R82/conf/vpn_route.conf

R80.30SP in Maestro

/opt/CPR8040CMP-R82/conf/vpn_route.conf

$MDSDIR/customers/<Name_of_Domain>/CPR8040CMP-R82/conf/vpn_route.conf

R80.30

/opt/CPR8040CMP-R82/conf/vpn_route.conf

$MDSDIR/customers/<Name_of_Domain>/CPR8040CMP-R82/conf/vpn_route.conf

R80.20SP in Maestro, or Scalable Chassis

/opt/CPR8040CMP-R82/conf/vpn_route.conf

$MDSDIR/customers/<Name_of_Domain>/CPR8040CMP-R82/conf/vpn_route.conf

R80.20

/opt/CPR8040CMP-R82/conf/vpn_route.conf

$MDSDIR/customers/<Name_of_Domain>/CPR8040CMP-R82/conf/vpn_route.conf

R80.20.x on Quantum Spark Appliances 1500 / 1600 / 1800

/opt/CPSFWR80CMP-R82/conf/vpn_route.conf

$MDSDIR/customers/<Name_of_Domain>/CPSFWR80CMP-R82/conf/vpn_route.conf

R80.10

/opt/CPR8040CMP-R82/conf/vpn_route.conf

$MDSDIR/customers/<Name_of_Domain>/CPR8040CMP-R82/conf/vpn_route.conf

Configuring the 'Accept VPN Traffic Rule'

In SmartConsole:

  1. Double click a Star or Meshed VPN Community object.

  2. On the Encrypted Traffic page, select Accept all encrypted traffic.

  3. In a Star VPN Community, choose between accepting encrypted traffic on Both center and satellite gateways or Satellite gateways only.

  4. Click OK.

Configuring Multiple Hubs

Consider two Hubs- "A" and "B".

Hub "A" has two spokes - "spoke_A1" and "spoke_A2".

Hub "B" has a single spoke - "spoke_B".

Hub "A" is managed by the Security Management Server "A".

Hub "B" is managed by the Security Management Server "B".

For the two Star VPN Communities, based around Hub "A" and Hub "B":

  • Spokes "A1" and "A2" need to route all traffic going outside of the VPN Community through Hub "A".

  • Spokes "A1" and "A2" also need to route all traffic to one another through Hub "A", the center of their Star VPN Community.

  • Spoke "B" needs to route all traffic outside of its Star VPN Community through Hub "B".

"A_community" is the VPN Community of "A" plus the spokes that belong to "A".

"B_community" is the VPN Community of "B".

"Hubs_community" is the VPN Community of "Hub_A" and "Hub_B".

For both vpn_route.conf files:

  • "A_Community" is a Star VPN Community that contains Hub_A, Spoke_A1, and Spoke_A2.

  • "B_Community" is a Star VPN Community that contains Hub_B and Spoke_B.

  • "Hubs-Community" is a Meshed VPN Community that contains Hub_A and Hub_B

    (it could also be a Star VPN Community with the meshed Central Security Gateways).

The vpn_route.conf file on Security Management Server "A" looks like this:

Destination

Next hop router interface

Install on

Spoke_B_VPN_Dom

Hub_A

A_Spokes

Spoke_A1_VPN_Dom

Hub_A

Spoke_A2

Spoke_A2_VPN_Dom

Hub_A

Spoke _A1

Spoke_B_VPN_Dom

Hub_B

Hub_A

Spokes "A1" and "A2" are combined into the network group object "A_spokes".

The applicable rule in the Security Policy Rule Base looks like this:

Source

Destination

VPN

Service

Action

*Any

*Any

A_Community

B_Community

Hubs_Community

*Any

Accept

The vpn_route.conf file on Security Management Server "B" looks like this:

Destination

Next hop router interface

Install On

Spoke_A1_VPN_Dom

Hub_B

Spoke_B

Spoke_A2_VPN_Dom

Hub_B

Spoke_B

Spoke_A1_VPN_Dom

Hub_A

Hub_B

Spoke_A2_VPN_Dom

Hub_A

Hub_B

The applicable rule in the Security Policy Rule Base looks like this:

Source

Destination

VPN

Service

Action

*Any

*Any

B_Community

A_Community

Hubs_Community

*Any

Accept

VPN with LSM Profiles

You can configure a Star VPN Community between two SmartLSM Profiles. The procedures below show a SmartLSMGateway Profile and SmartLSM ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Profile.

You can also configure the community with two SmartLSM Cluster Profiles or two SmartLSMGateway Profiles.

All included SmartLSM Gateway and SmartLSM Cluster Profiles must have the IPsec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. blade enabled.

The procedure requires configuration in:

  1. SmartConsole

  2. CLI on the Security Management Server

  3. SmartProvisioningClosed Check Point Software Blade on a Management Server (the actual name is "Provisioning") that manages large-scale deployments of Check Point Security Gateways using configuration profiles. Synonyms: Large-Scale Management, SmartLSM, LSM. GUI

  4. CLI on the Center Security Gateway

See the R82 SmartProvisioning Administration Guide.