setting up a L2L vpn from a 5510 to someone else's Checkpoint and I have a couple questions.
First of all if we are using static nat...translating our private addresses to public addresses...should the encryption domain reflect the translated or untranslated IP?
If the host they will be connecting to using the VPN is 192.168.1.1 an the public address is 188.8.131.52....and lets say the IP on their side is 184.108.40.206....
My encryption domain would be:
access-list encdomain permit ip host 220.127.116.11 host 18.104.22.168
is this right? The packet arrives, consults routing tables, determines which interface it will be leaving from, undergoes any relevant translations, then looks for a VPN that it matches?
Another question...the only way for me to control on my end what traffic comes over a L2L vpn tunnel is to not use sysopt connection permit ipsec, but rather leverage access-lists on the external interface of the firewall to control what traffic can enter our environment (with syopt connection permit-ipsec in place all traffic bypasses that ACL).
So my next question is how do people handle this on VPNs that are using public IPs? I dont know why but our partner insists on using public IPs to hide their VPN encrypter hosts, and will only connect to hosts at our side if we NAT them to public IPs.
So what this means is we have an ACL on our external interface allowing traffic from routable_IP_remote to routable_IP_local...so if something gets screwed up in the future and the tunnel no longer works because a setting was tweaked on one end but not the other...no one would know about it and the traffic would still flow over the public internet without a VPN tunnel since all the translations and access-lists are in place.
How do you mitigate this?
The only solution I can think of is blocking all traffic EXCEPT that of the vpn peer on your upstream router...but that only works if you have a dedicated VPN firewall (you cant block all traffic to your firewall's IP if you are also using it as the hide-nat for outgoing traffic for example).
This seems like such a weak solution...requiring ACLs on an upstream ROUTER (note router, should be used to route not to filter packets) in order to secure connectivity to your FIREWALL (note firewall, security appliance which should be capable of securing itself).
How do you handle this situation???