Today we are going to take a look at a site to site VPN between a Checkpoint and an SRX.
We will focus more on configuration and testing rather than VPN theory as the Internet is full of great resources in that respect. No NAT in this one either to keep it more simple and just focused on the VPN side of things. We will do a seperate Blog for VPN troubleshooting.
Here is a layer 3 view of the network we will be using..
How can we know if our policies are being hit or if traffic is getting to the firewall?
* SETUP
The policy in question for all the below work is just the default trust to untrust policy on the SRX. The source IP on trust is 192.168.56.50 and the destination on IP on untrust is 172.20.123.2
blogger@LEFTY> show configuration security policies from-zone trust to-zone untrust
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
* LOGGING
First lets look at logging. Lets add logging to the policy. If your going to have logging you must choose session-init or session-close or both. From my perspective session-init is way more useful as if you have very long lasting sessions you may never know that you got a policy hit. Sure you might want to know when a session ends but at the very least you would want to know when and if your policy even got hit so make sure you at least use session-init.
