topic Re: VPN routing in Firewall and Security Management

VPN routing

Sandra_Suarez — Thu, 02 Aug 2018 19:05:38 GMT

Hi,

***********************
ENVIRONMENT

VPN COMMUNITY TYPE: Star
CENTER GW: CheckPoint R80.10 (appliances 5900) (manage our customer)
SATELLITE GW: Cisco (manage external 1)
SATELLITE GW: Fortinet (manage external 2)
SATELLITE GW: Cisco ASA (manage external 3)
SATELLITE GW: Checkpoint (manage external 4)

**************************
TRAFFIC FLOW

SATELLITE GW from external 2, 3 y 4 needs to contact to SATELLITE GW external 1, the traffic must always pass through CENTER GW.

*************************
CONFIGURATION

Each SATELLITE (2,3,4) arrive to CENTER GW with a follow IP address
customer 2 --> 10.10.10.10
customer 3 --> 10.10.10.15
customer 4 --> 10.10.10.20
they try to connect to 172.25.107.193 (host behid SATELLITE GW: Cisco (manage external 1))

When
Host 10.10.10.10-SATELLITE GW: Fortinet (manage external 2) AND host10.10.10.20-SATELLITE GW: Checkpoint (manage external 4) did the telnet connection to 172.25.107.193-SATELLITE GW: Cisco (manage external 1) EVERITHING WORKS FINE

When
Host 10.10.10.15-SATELLITE GW: Cisco (manage external 3) did the telnet connection to 172.25.107.193-SATELLITE GW: Cisco (manage external 1) DOES NOT OPEN

******************************
LOGS
1. When the traffic works fine between satellites the log traffic show action VPN Routig
2. When the traffic does no work the log traffci show action DECRIPT (never show VPN Routing)

*******************
QUESTION

1. How can we check by CLI the routes created by VPN Routing from Start COmmunity
2. Could you explain us how is the orden in a VPN routing
First decript
Second Nat
Third Encript
3. Do you know how other troubleshooting could we run?

Re: VPN routing

PhoneBoy — Thu, 02 Aug 2018 22:32:04 GMT

A lot of the troubleshooting for site-to-site VPN is here: Debugging Site-to-Site VPN

Re: VPN routing

HeikoAnkenbrand — Fri, 03 Aug 2018 21:53:47 GMT

Your QUESTIONs:

>>> 1. How can we check by CLI the routes created by VPN Routing from Start COmmunity

You can found policy based VPN routes in the following tabel "fw tab -f -t vpn_routing -u" or use te one liner from my articel:

Show VPN Routing on CLI

>>> 2. Could you explain us how is the orden in a VPN routing

Here you can find a flowchart of how VPN decryption and encryption is implemented:

R80.x Security Gateway Architecture (Logical Packet Flow)

>>> 3. Do you know how other troubleshooting could we run?

See answer from https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc > Debugging Site-to-Site VPN

Regards

Heiko

Re: VPN routing

AnujPratap — Thu, 22 Aug 2019 05:04:03 GMT

Hi HeiKo,

Would you please help me to understand. Does routing is required for remote end n/w in IPSec VPN?