topic Re: Domain Based VPN Domain Routing Questions in Firewall and Security Management

Domain Based VPN Domain Routing Questions

Wyman — Tue, 16 Feb 2021 16:50:52 GMT

Hi everyone. I'm trying to setup routing from a branch office to AWS via another office. I've read up on Domain Based VPN and I have some questions about it. All of our gateways are in a meshed community. On the CP article it mentions that the 'accept all encrypted traffic' box should be set within the community settings (we have it unticked).

Is this going to break VPN tunnels between all of our offices if I do this? I understand that I need to edit the vpn_routing.conf file on the security management server and then install policy on the relevant gateway.

I have also read from other sources that the subnet in AWS will have to be added to the VPN domain of the gateway that the branch gateway forwards the traffic to/receives from. Is this correct?

Finally, if I only make the change to the conf file on the SMS, how likely is it that something will go wrong? I've not done this before so I don't want to bring everything crashing down!

Re: Domain Based VPN Domain Routing Questions

PhoneBoy — Wed, 17 Feb 2021 06:13:14 GMT

“accept all encrypted traffic” shouldn’t break VPN tunnels and you will need to add the relevant AWS subset to the encryption domain of the relevant gateway.

If you edit the file incorrectly and push to the gateways, there is a risk it could be disruptive.
You might want to do it during a maintenance window.

Re: Domain Based VPN Domain Routing Questions

Wyman — Mon, 01 Mar 2021 13:35:02 GMT

Thanks PhoneBoy. The change was made and, although traffic isn't successfully passing through yet, there aren't any major issues as a result of the change!