https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site2Site-VPN-not-working-with-VLANS-additional-IP-nets/m-p/186731#M34353 <P>Helloes.</P><P>&nbsp;</P><P>Unsure what the problem is here, and I'm not that good at checkpoint VPN:s.</P><P>We have a 7000 gateway at our main site and some time ago we bought a smaller spark 1570 gateway for a remote location. We set up a S2S-VPN between these with 1 network on the remote site, and that seems to work fine. The network is added to LAN1 directly (and the tunnel runs over WAN)</P><P>Now i wanted to add 2 more networks to the remote site. We installed a switch, added a trunk between the 1570 and the switch, made VLAN interfaces on LAN2 (LAN2.1365 etc) with 2 VLAN:s. One VLAN has an SVI in the switch that I can ping from the 1570, the other doesn't but it has a camera attached that I can ping. So that part seems to be working as it should. But I cannot get traffic to use the S2S-VPN for these 2 VLAN-networks.</P><P>If I do traceroute from my office-PC to the 1st network, i can see that it uses the tunnel and i can also see in the CP logs that it is encrypting traffic etc.</P><P>If I do traceroute to network 2 or 3, I can see that the traffic goes out on the default GW and is not tunneled. There's no encryption in the checkpoint logs.</P><P>Looking at the remote GW-object in SmartConsole, the 3 networks show up as they should and are configured the same, just different IP:s.</P><P>the VPN object has the setting that VPN domain is all IP:s behind GW based on topology.</P><P>How do I troubleshoot this? Is it not possible to use VLAN:s?</P> Tue, 18 Jul 2023 16:35:02 GMT Albin_Petersson 2023-07-18T16:35:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site2Site-VPN-not-working-with-VLANS-additional-IP-nets/m-p/186731#M34353 <P>Helloes.</P><P>&nbsp;</P><P>Unsure what the problem is here, and I'm not that good at checkpoint VPN:s.</P><P>We have a 7000 gateway at our main site and some time ago we bought a smaller spark 1570 gateway for a remote location. We set up a S2S-VPN between these with 1 network on the remote site, and that seems to work fine. The network is added to LAN1 directly (and the tunnel runs over WAN)</P><P>Now i wanted to add 2 more networks to the remote site. We installed a switch, added a trunk between the 1570 and the switch, made VLAN interfaces on LAN2 (LAN2.1365 etc) with 2 VLAN:s. One VLAN has an SVI in the switch that I can ping from the 1570, the other doesn't but it has a camera attached that I can ping. So that part seems to be working as it should. But I cannot get traffic to use the S2S-VPN for these 2 VLAN-networks.</P><P>If I do traceroute from my office-PC to the 1st network, i can see that it uses the tunnel and i can also see in the CP logs that it is encrypting traffic etc.</P><P>If I do traceroute to network 2 or 3, I can see that the traffic goes out on the default GW and is not tunneled. There's no encryption in the checkpoint logs.</P><P>Looking at the remote GW-object in SmartConsole, the 3 networks show up as they should and are configured the same, just different IP:s.</P><P>the VPN object has the setting that VPN domain is all IP:s behind GW based on topology.</P><P>How do I troubleshoot this? Is it not possible to use VLAN:s?</P> Tue, 18 Jul 2023 16:35:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site2Site-VPN-not-working-with-VLANS-additional-IP-nets/m-p/186731#M34353 Albin_Petersson 2023-07-18T16:35:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site2Site-VPN-not-working-with-VLANS-additional-IP-nets/m-p/186770#M34362 <P>Did you change the Encryption Domain associated with the SMB device to include the new VLANs AND push policy to all relevant gateways?</P> Tue, 18 Jul 2023 20:56:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site2Site-VPN-not-working-with-VLANS-additional-IP-nets/m-p/186770#M34362 PhoneBoy 2023-07-18T20:56:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site2Site-VPN-not-working-with-VLANS-additional-IP-nets/m-p/186787#M34363 <P>well, the VPN domain is the same thing as encryption domain right? If it is set to use all IP:s behind the SMB device then shouldn't they update automatically?</P><P>I've pushed the policy to both gateways.</P><P>&nbsp;</P><P>I tried to make a network group object now with the networks included and use that as VPN domain instead, but there's no difference.</P> Wed, 19 Jul 2023 04:37:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site2Site-VPN-not-working-with-VLANS-additional-IP-nets/m-p/186787#M34363 Albin_Petersson 2023-07-19T04:37:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site2Site-VPN-not-working-with-VLANS-additional-IP-nets/m-p/186788#M34364 <P>hmm, I think I figured it out now. The ideas I had on how to add these new networks to the policies was wrong. It was never a problem with the VPN tunnel per se. I used the "remote" networks in the local GW:s policies, but that doesn't work apparently.&nbsp;</P><P>&nbsp;</P><P>It's a bit confusing that it didn't work, but at least now the access works so that's all that matters.</P> Wed, 19 Jul 2023 04:51:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site2Site-VPN-not-working-with-VLANS-additional-IP-nets/m-p/186788#M34364 Albin_Petersson 2023-07-19T04:51:17Z