So you can mix domain-based and route-based VPNs on your firewall with a non-empty VPN domain defined for your firewall, just keep in mind that if domain-based VPN specifies encryption it will trump whatever route-based VPN specifies. If the domains do not match for encryption, route-based VPN still has the opportunity to either encrypt or forward in the clear based on routing. If the domains determine that traffic needs to be encrypted, it will be encrypted no matter what routing says, full stop.
The reason why it is frequently recommended to define an empty VPN domain for your firewall with route-based VPNs in use is to avoid a situation in #1 where the domains force encryption first but routing does not. If the route leads to a regular physical/logical interface the traffic will not be encrypted.
My understanding of how the Check Point firewall determines whether traffic should be encrypted into a VPN (also referred to as "interesting traffic" in the Cisco world) happens in this order:Ġ) First off, the traffic must be accepted by the security policy.ġ) Between inspection points i and I prior to routing, if the packet's source IP falls into our firewall's defined VPN domain AND (not or) the destination IP falls inside the defined VPN domain of a VPN peer, the traffic will be encrypted regardless of what route-based VPN determines.Ģ) If the IP route matching this packet leads to a VPN Tunnel Interface (VTI), the traffic will be encrypted. This is not completely accurate but is recommended to avoid confusion. Basically my VPN domain is empty as this is a requirement for route based vpn setup.
0 kommentar(er)
