Support Center > Search Results > SecureKnowledge Details
Site-to-Site VPN between Central Security Gateway and DAIP Edge gateways located behind the same NAT device Technical Level
Symptoms
  • Topology:
    [Central Security Gateway] --- (VPN) --- [NAT Device] --- two Satellite Edge gateways

  • In the above topology, Site-to-Site VPN tunnel can be up between the Central Security Gateway and only one of the two Satellite Edge gateways located behind the same NAT device
    (if VPN tunnel is up with one of the Satellite Edge gateways, the VPN tunnel will not work with the other Satellite Edge gateway).

Cause

Site-to-Site connections are defined by their IP address only. Therefore, the Central Security Gateway will "see" those two Satellite Edge gateways as one Site and will not be able to distinguish between them.


Solution

No fix is required; the Site-to-Site VPN is functioning as designed.

Check Point offers the following possible workaround - configure the two Edge gateways as Remote Access clients:

  1. Connect with SmartDashboard to Security Management Server / Domain Management Server.

  2. Go to 'Firewall' tab.

  3. Open the object of each Edge gateway.

  4. Go to 'IPSec VPN' pane.

  5. Remove all VPN Communities.

  6. Go to 'General Properties' pane:

    1. Check the box 'VPN'.
    2. Select 'Connects as Remote Access Client'.
    3. Click on 'OK'.

    Note: This will change the Edge gateway to DAIP device (Dynamically Assigned IP Address). You must use a certificate to establish a VPN tunnel. This UTM-1 Edge gateway can only be enforced in the Source column of a security rule.

  7. Click on 'OK' to apply the changes.

  8. Create an explicit security rule to allow traffic from this Edge gateway to relevant destinations.

  9. Go to 'IPSec VPN' tab.

  10. Open the relevant Remote Access community.

  11. Add either the Edge gateway itself, or "All users" group to the Remote Access community.

  12. On the Edge's side, Remote Access needs to be configured in the same way as Site-to-Site:

    • The username has to be the Edge's object name in SmartDashboard

    • The password has to be the Registration Key from the Edge's object in SmartDashboard

 

The limitation of this workaround, comparing to Site-to-Site, is that now the Edge "knows" the Central Security Gateway's encryption domain, so there will be no problem with traffic from the Edge's side to the Central Security Gateway's side.
However, the Central Security Gateway "knows" only the Edge's external IP address. Therefore, if traffic needs to come from Central Security Gateway's side to hosts behind the Edge, the relevant port forwarding rules have to be added on the Edge's side.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment