This is different from most other commercial firewall products like Cisco PIX and Juniper firewalls where the firewall software is part of a proprietary operating system.Īlthough traditionally sold as software only, VPN-1 is also sold in appliance form as Check Point's UTM-1 (starting 2006) and Power-1 appliances.
a subset of it) is highly dependent on the other side's vendor type and configuration.Īfter we switched to route-based VPN, we changed from "One VPN tunnel per subnet pair" to "One VPN tunnel per Gateway pair", and changed both encryption domains to be empty (dummy) network groups (the routing was statically added via vpnt interface).The VPN-1 software is installed on a separate operating system, which provides the protocol stack, file system, process scheduling and other features needed by the product. Whether a peer configured for route-based VPNs will accept a non-universal tunnel (i.e. Any chance the R80.40 changes are causing many more IPSec SAs to be negotiated than before and you are hitting some kind of limit on SAs that can simultaneously exist on the peer? I remember reading an SK about this but can't find it right now.
You will need to take a closer look at the selectors being proposed with vpn debug ikeon and ikeview. With the introduction of per-VPN Community VPN domains in R80.40, that code was definitely touched and may be the cause of your issue. This is controlled from the VPN Tunnel Sharing screen of the VPN Community, do you have it set to "one tunnel per gateway"? However the traffic selector determination is also impacted (called Proxy-IDs/subnets in IKEv1 Phase 2), with a route-based VPN normally you utilize what Check Point calls a "universal tunnel" (dual 0.0.0.0/0's) whereas with domain-based individual subnets are negotiated. Once established the VPN protocols more or less operate the same regardless of which one you are using.
Keep in mind the only real difference between domain-based and route-based VPNs is how traffic is determined to be "interesting" (to borrow a Cisco term) and requires encryption vs. Right you can mix the domain-based approach with a route-based approach on the other side and still have it work.
0 kommentar(er)
