Wonder if someone could help me as I’m struggling.
So I need to configure an IPsec VPN between ourselves and a 3rd party.
The VPN terminates on our Checkpoint and I use r80.40 to configure it.
My question is and feel free to call me stupid as I’m new
-
how do I define the vrf the IPsec traffic falls into once it sees inner packet and goes out the checkpoint back into my core network?
-
Also does it need a NAT? Because if it has an inner packet surely that can be private no?
-
If there are multiple sources and destinations in
Guessing the rules can just reflect that as that’s what’s gonna be the inner packet on the IPsec?
Sorry if these seem stupid questions I’m still learning and really want to understand!
If anyone has a video with this setup explain feel free to share, I couldn’t find anything.
Thank you all 
You manage a Check Point? My heart goes out to you buddy.
VRF like behavior is only available on vsx. If you are using a “normal” gateway you only have 1 default routing table or you can configure a policy base routing and specify a different routing behaviour based ou src/dst addresses.
Regarding the fw policy rules, you should do your policies according to the decrypted traffic, even if you do source/destination nat on the decrypted traffic.
Routing config is done through the gaia interface(web,cli or api), fw/nat rules (smartconsole or api).
Are checkpoint that bad? Genuinely curious as I’ve never had to work with them
I currently manage Check Points, Palo Alto and Fortigates. I used to manage Firepower. I recommend Fortigate and Palo Alto, both are amazing firewalls. I tell people to avoid Check Point and Firepower like the plague.
hence me reaching out here for some guidance
Thank you for the response, so how does the routes find themselves in the correct vrfs normally once they start to traverse the network?
Yeah they are. I’ve had to work with them for a couple of years and had a lot of problems with them. Horrible interfaces and hard to configure. Due to a bug I had my wifi go down when I did a policy install every once in a while. Numerous other bugs. A memory leak that was never fixed during the whole lifespan (4+ years) of the device on all software trains. I was scared of every firewall change I had to make.
Last year I replaced all the Check Points on both my HQ and a bunch of branch offices to Fortigates, and they have been amazing so far. No one should ever consider buying Check Point NGFW’s in 2024.
If you have different vrfs in your router/network, you should extend that L3 interface that belongs to the required vrf to the checkpint firewall.
Ex:
FW Checkpoint ↔ router/network vrf
eth0.10 (vlan) ↔ vlan 10 router (vrf1)
eth0.20 (vlan) ↔ vlan 20 router (vrf2)
eth0.30 (vlan) ↔ vlan 30 router (vrf3)
In the Checkpoint firewall you can manage all the routing in the global routing table and forward the traffic acording to the required next hotp or create policy base routing rule that takes into account the source ip and destination ip and forward the traffic to an diferent next hop.
Yeah we’re a FortiGate shop (The last few placed ive worked have been) and to be honest they’ve been flawless, so much so i snagged an old 80E for my homelab and i love it! I’ve only ever seen Cisco, FG, Palo Alto and Juniper FW’s out in the wild. Guess i’ve been lucky! Will add them to the avoid list for sure then.
Thank you that makes sense, so each vlan on the router would be part of a vrf? How do I see routing on the checkpoint? I’m the smart console r80.40 and can’t see anything
Thats the “issue” with Checkpoint, some settings (os, routing) are only available through gaia interface(the os interface), you can access it through https, ssh or api using the management ip of the fw, if you need additional information you can check the gaia admin guide for R80.40
https://support.checkpoint.com/results/sk/sk160736 or https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_Gaia_AdminGuide/Topics-GAG/Gaia-Overview.htm
hence me reaching out here for some guidance