topic Route Based VPN - Configuration in Firewall and Security Management https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Configuration/m-p/51006#M12986 <P>Hello Checkmates,&nbsp;</P><P>I am&nbsp; implementing a hub and spoke topology using Checkpoint devices across our MPLS. All spoke checkpoint devices will be configured to route to the internet via the Hub Checkpoint.&nbsp;</P><P>I am trying to setup Route based VPNs and I need some clarifications on the following.&nbsp;</P><P>First is VTI supposed to work like GRE tunnels (we define tunnel local IPs, tunnel source and tunnel destination)? since it also allows routing protocols through IPSec tunnels.&nbsp;&nbsp;</P><P>2. Remote Address under the VTI - Is this suppose to be&nbsp; the public IP of the peer gateway's external interface&nbsp; or the local Private IP on the VTI of peer gateway.&nbsp; Image below from checkpoint support center shows local (10.10.10.10) and remote (20.20.20.20). I was thinking they have to be on the same subnet for reachability&nbsp; (local 10.10.10.10 and remote 10.10.10.11)&nbsp; &nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="img 3.PNG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/852iBDB05F96CFD602E3/image-size/large?v=v2&amp;px=999" role="button" title="img 3.PNG" alt="img 3.PNG" /></span></P><P>3. For OSPF routing&nbsp; I am using the GUI configuration - Do I have to select the VTI as part of the ospf interfaces for it form neighborship with the peer? I have selected all active LAN interfaces on the Checkpoint devices and I plan to use ospf default information originate to pass default route from Hub to Spoke devices.&nbsp;</P><P>&nbsp;</P><P>Thank you in anticipation.&nbsp;</P><P>&nbsp;</P> Tue, 16 Apr 2019 00:36:18 GMT Dami 2019-04-16T00:36:18Z Route Based VPN - Configuration https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Configuration/m-p/51006#M12986 <P>Hello Checkmates,&nbsp;</P><P>I am&nbsp; implementing a hub and spoke topology using Checkpoint devices across our MPLS. All spoke checkpoint devices will be configured to route to the internet via the Hub Checkpoint.&nbsp;</P><P>I am trying to setup Route based VPNs and I need some clarifications on the following.&nbsp;</P><P>First is VTI supposed to work like GRE tunnels (we define tunnel local IPs, tunnel source and tunnel destination)? since it also allows routing protocols through IPSec tunnels.&nbsp;&nbsp;</P><P>2. Remote Address under the VTI - Is this suppose to be&nbsp; the public IP of the peer gateway's external interface&nbsp; or the local Private IP on the VTI of peer gateway.&nbsp; Image below from checkpoint support center shows local (10.10.10.10) and remote (20.20.20.20). I was thinking they have to be on the same subnet for reachability&nbsp; (local 10.10.10.10 and remote 10.10.10.11)&nbsp; &nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="img 3.PNG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/852iBDB05F96CFD602E3/image-size/large?v=v2&amp;px=999" role="button" title="img 3.PNG" alt="img 3.PNG" /></span></P><P>3. For OSPF routing&nbsp; I am using the GUI configuration - Do I have to select the VTI as part of the ospf interfaces for it form neighborship with the peer? I have selected all active LAN interfaces on the Checkpoint devices and I plan to use ospf default information originate to pass default route from Hub to Spoke devices.&nbsp;</P><P>&nbsp;</P><P>Thank you in anticipation.&nbsp;</P><P>&nbsp;</P> Tue, 16 Apr 2019 00:36:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Configuration/m-p/51006#M12986 Dami 2019-04-16T00:36:18Z Re: Route Based VPN - Configuration https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Configuration/m-p/51330#M12987 VTI is similar to GRE in that traffic routed through the interface is encrypted.<BR />The difference with VTI is that the encapsulation is IPSEC.<BR />VTI interfaces are "point to point" and do not have to be on the same subnet.<BR />The VTI IP addresses are private.<BR />If you want OSPF to communicate routes over the VTI interface to the peer at the other end, it must be enabled on both ends of the VTI interface. Fri, 19 Apr 2019 00:59:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Route-Based-VPN-Configuration/m-p/51330#M12987 PhoneBoy 2019-04-19T00:59:27Z