topic VPN Connectivity to S2S connected sites in Cloud Firewall

VPN Connectivity to S2S connected sites

TonyM12 — Thu, 08 Feb 2024 07:38:12 GMT

Hi All,

I am a little stuck again, appreciate your help here.

We have a CP setup in Azure. From there we have a simple setup. one S2S connection to a 3rd party network (who have their phase to set to ANY apparently) (not Checkpoint on the other end). That works fine. All the systems that we have connected to the CP can connect over the S2S both ways.

What we are struggling with is that we need our users who connect to our CP over Check Point mobile vpn to be able to route to that same network over the S2S. We tried adding it as one of the trusted networks but i think it broke the S2S connection. Is there a way to publish the routes and allow communication ?

Let me know if you need more info, as i may not have provided enough detail.

Re: VPN Connectivity to S2S connected sites

Lesley — Thu, 08 Feb 2024 07:49:51 GMT

Route based or domain based tunnel? If it is domain based you need to add the mobile access IP range to your own encryption domain. Then the Azure side needs to do the same or it could indeed break the tunnel.

Re: VPN Connectivity to S2S connected sites

TonyM12 — Thu, 08 Feb 2024 10:04:00 GMT

Hi Lesley,

Its route based.

What i didnt mention is that there are 2 S2S tunnels in the same community. so it acts as an active active scenario.

Our side is checkpoint, the other side is Juniper.

Last time i added the S2S range to our VPN route (i probably did it wrong) it broke connectivity to the S2S.

Re: VPN Connectivity to S2S connected sites

Machine_Head — Thu, 08 Feb 2024 09:35:59 GMT

quick and dirty just NAT your remote access network behind an IP that currently works for that tunnel.

The problem seems to be that the remote gateway doesn't "know" about your RA net.

Re: VPN Connectivity to S2S connected sites

the_rock — Thu, 08 Feb 2024 14:10:00 GMT

I agree with @Machine_Head . How is this setting configured?

Andy

Re: VPN Connectivity to S2S connected sites

TonyM12 — Thu, 08 Feb 2024 14:54:32 GMT

Hi Guys,

Its set the same as your screenshot.

Re: VPN Connectivity to S2S connected sites

the_rock — Thu, 08 Feb 2024 15:01:02 GMT

For the reference, here is what options do.

Andy

To center only . No VPN routing actually occurs. Only connections between the satellite gateways and central gateway go through the VPN tunnel. Other connections are routed in the normal way
To center and to other satellites through center . Use VPN routing for connection between satellites. Every packet passing from a satellite gateway to another satellite gateway is routed through the central gateway. Connection between satellite gateways and gateways that do not belong to the community are routed in the normal way.
To center, or through the center to other satellites, to internet and other VPN targets . Use VPN routing for every connection a satellite gateway handles. Packets sent by a satellite gateway pass through the VPN tunnel to the central gateway before being routed to the destination address.

Re: VPN Connectivity to S2S connected sites

PhoneBoy — Thu, 08 Feb 2024 22:37:30 GMT

Have you added the 3rd party networks to the Remote Access encryption domain?

Re: VPN Connectivity to S2S connected sites

TonyM12 — Fri, 09 Feb 2024 08:17:12 GMT

I figured it out. The 3rd party network was set to 0.0.0.0 on their side, and we have limited it. Once we set it the same, it worked. Appreciate your help guys.

Re: VPN Connectivity to S2S connected sites

the_rock — Fri, 09 Feb 2024 12:13:18 GMT

Good job!