eth0) the traffic is not interesting and is sent in the clear. If the next hop leads to a regular interface (i.e. If the traffic is not determined to be interesting by the domains, proceed to step 3.ģ) If next hop of an IP route leads to a VTI (VPN Tunnel Interface) associated with a VPN tunnel, the routed traffic is interesting and will be encrypted. It goes something like this:ġ) Traffic must be accepted by the Firewall/Network policy layer firstĢ) If the source IP address is in the firewall's VPN domain AND (not or) the destination IP address is in the VPN domain of a peer, the traffic is interesting and will be encrypted we do not proceed to step 3. Other than how the subnets/Proxy-IDs are negotiated (usually specific subnets for domain-based VPNs and a "universal tunnel" which is double 0.0.0.0/0's for route-based VPN), the underlying VPN tunnel created is exactly the same no matter which technique you use. There are two ways to identify interesting traffic for VPN tunnel encryption on a Check Point: domain-based VPN and route-based VPN.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |