topic Re: Mulitple 5 site vpn design P2P and mesh and center between them in Firewall and Security Management

Mulitple site vpn design P2P

gajendra229 — Sat, 13 May 2023 03:41:41 GMT

E & B is directly connected vpn

++ E & B need to be directly through P2P vpn

++ D & C need to be directly through P2P vpn

Mulitple 5 site vpn design P2P and mesh and center between them

gajendra229 — Sat, 13 May 2023 03:23:42 GMT

++ E & B need to directly connect to each other through direct tunnel

++ D & A need to directly connect to each other through direct tunnel

How this can be achieved ?

Re: Mulitple site vpn design P2P

Blason_R — Sat, 13 May 2023 07:28:03 GMT

Hi @gajendra229

This forum is not for suggestion on designing the networks and extend help in designing the same but we can help you on technical issues if any. However to give you a hint you can use route based tunnels.

Or best way opt for DMVPN with other devices; this would not be possible with policy based tunnels.

Re: Mulitple site vpn design P2P

gajendra229 — Sat, 13 May 2023 08:10:33 GMT

Thanks, Blason for replying,

Sorry if i said need help to design....

I already have this design just trying to understand how do i can achieve this configuration.

Route based tunnels any url where i can learn and configure according to it on checkpoint R80.40?

as i configured vpn domain based tunnel only never configured route-based tunnel.

Does this route-based tunnel require, Routing team to do something differently? mean i need to inform something to configure accroding to configuration in checkpoint?

Re: Mulitple 5 site vpn design P2P and mesh and center between them

the_rock — Sat, 13 May 2023 15:46:58 GMT

As @Blason_R said...route based tunnels.

Re: Mulitple 5 site vpn design P2P and mesh and center between them

gajendra229 — Sat, 13 May 2023 17:33:14 GMT

I got that but didn't understand the concept of creating between this many tunnels per my design , what should be the approach

Re: Mulitple 5 site vpn design P2P and mesh and center between them

the_rock — Sat, 13 May 2023 17:43:56 GMT

Below is good reference, but I also pasted some notes I took for myself. I would send you the good doc I have, but it contains private customer info, so cant do that, sorry

Andy

https://support.checkpoint.com/results/sk/sk100726

Some notes I gathered:

Steps for route based azure vpn tunnel:

Star community

Get all the settings from config file on Azure side

Pick any Ips from 169.254.0.0/24 subnet NOT in use with current tunnels for VTIs/remote address

Say:

169.254.0.200, 201 and 202 (master, backup and VIP) and then .203 for remote address (which is also used as DG for subnet on the other side)

Once this is configured, get interfaces without TOPOLOGY

*DO NOT PUSH POLICY YET*

Save changes in dashboard, then add peer external IP to exempt anti spoof group for external interface

Then also add route to external peer IP using actual Internet default DG

MAKE SURE PEER NAME (in VTI settings in web UI) MATCHES WITH INTEROPERABLE OBJECT in dashboard

Create appropriate rule using VPN community (bi-directional match) (internal clear to 3rd party tunnel, 3rd party to 3 rd party, 3rd party to internal clear in vpn column)

Push policy and test

Re: Mulitple 5 site vpn design P2P and mesh and center between them

gajendra229 — Sat, 13 May 2023 18:07:30 GMT

Thanks for sharing that any reference doc that can help to build multiple tunnels under same management server

I have 5 gateway, per my design I don't understand how many tunnel have to build

thinking to create 3 route based tunnels as if create domain based it will give an error while pushing policy on firewall

The pair of objects <FW A and FW b> appear simultaneously in the Intranet Communities:

not sure if i can achieve thinks with below 3 tunnels

ABC - mesh
A center gateway, E,D,C satellite gateway - bidirectional flow
C center gateway D,B,E satellite gateway

Re: Mulitple 5 site vpn design P2P and mesh and center between them

the_rock — Sat, 13 May 2023 18:53:05 GMT

I would contact TAC for faster resolution.