topic Re: Route Base VPN with Cisco in Firewall and Security Management

Route Base VPN with Cisco

Exonix — Fri, 08 Sep 2023 13:45:21 GMT

Hello everyone,

please tell me if i'm on the right way. I saw some videos and tutorials, but they all are for a clustered connection.

On our side with have CP R80.40, remote side has a Cisco Router. They want Route Based VPN. What I will do:

1. create VTI in GAIA:

2. create Interoperable Device with Cisco Public IP

3. Create VPN-Community with empty encryption Domain (a VPN-community likewise for policy/domain Based VPN)

4. add static Route: remote network behind VTI

5. something else?

Thank you in advance!

Re: Route Base VPN with Cisco

the_rock — Fri, 08 Sep 2023 18:42:37 GMT

MAKE SURE remote address is one used as default gateway for static route to remote site.

Check out this post

Andy

Its cluster, but you get an idea, if you need help, we can do remote after hours

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-failover-issue/m-p/155553#M26519

Re: Route Base VPN with Cisco

RS_Daniel — Fri, 08 Sep 2023 19:21:24 GMT

Hello,

The "peer" parameter is NOT the public ip address of the peer. It is the name of the object you created on smartconsole for cisco device. So you should switch steps 1 and 2. Also the static routes should use as next hope the vti interface and not ip address as next hop. I have had some issues using IP address instead of interface.

One missing step (should be number 3 on your example) is get interfaces on your R80.40 gateway object on smartconsole, it is not possible to create a VTI interface manully, it must be fetched by a get interfaces, i would use get interfaces without topology option.

And of course you must have rules that allow the traffic. I think that is all.

Regards

Re: Route Base VPN with Cisco

the_rock — Fri, 08 Sep 2023 19:23:18 GMT

Yes, very true about the peer, totally missed that part, it is indeed a NAME of interoperable object.

Andy

Re: Route Base VPN with Cisco

Exonix — Mon, 11 Sep 2023 10:39:54 GMT

Thanks for suggestions. One more question: get Interface - with or without Topology?

If I choose with - it changes all interfaces... I'm getting more 100 changes in total.

If I choose without - it also changes all interfaces, I'm getting ~26 changes (because I have ~26 interfaces) even I don't see any in the SmartConsole. To be honest, I have no desire to change any productive interfaces... What to do?

Re: Route Base VPN with Cisco

the_rock — Mon, 11 Sep 2023 11:12:45 GMT

I never do with topology, always without...if you do with topology option, it will reset everything to default.

Andy

Re: Route Base VPN with Cisco

RS_Daniel — Mon, 11 Sep 2023 12:36:29 GMT

Hello,

I would use get interfaces without topology. I understand what you say, it happens to me every time i create a new route based vpn. I am not sure why those changes appear, but it always happened every time i created a new vti, and the configuration never changed, so you could safely publish. If you want to be sure, you can check your previous configuration with Policy Installation History feature, it will open a new smartconsole in read only mode with the policy you had before doing the fetch, and you will be able to compare the interfaces configuration.

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SecurityManagement_AdminGuide/Topics-SECMG/Policy-Installation-History.htm

Regards

Re: Route Base VPN with Cisco

Exonix — Tue, 12 Sep 2023 08:55:19 GMT

Thanks RS_Daniel, thanks the_rock

The SmartView schows me the Tunnel is UP, but in the Logs I see all GRE traffic is rejected. I don't remeber any documentation tells to allow some traffic... Should I?

Re: Route Base VPN with Cisco

RS_Daniel — Mon, 11 Sep 2023 15:29:02 GMT

Hello,

Is this a GRE tunnel? XD that would have been a good piece of information at the beginning jaja. GRE is supported starting in R81. From sk92845:

Generic Routing Encapsulation (GRE) Tunnels are not supported on Gaia OS running versions lower than R81.

Starting from R81, GRE Tunnels are supported.

Note: This is relevant to CloudGuard, as well as in physical appliances.

For R81 or newer versions:

https://support.checkpoint.com/results/sk/sk169794

Regards

Re: Route Base VPN with Cisco

Exonix — Tue, 12 Sep 2023 13:11:32 GMT

hi RS_Daniel,

yes, I've just got new info this is GRE over IPsec.

Offtopic - do we always need GRE-Interface for GRE-Tunnel?

Re: Route Base VPN with Cisco

Exonix — Tue, 12 Sep 2023 13:55:09 GMT

I found an article that CP supported GRE over IPsec even in 2011. I undersand, that it is different CP, but still... Can we configure GRE over IPsec?

GRE over IPsec - Checkpoint 572

Re: Route Base VPN with Cisco

the_rock — Tue, 12 Sep 2023 14:00:17 GMT

Im prrtty sure its still supported, as per below.

Andy

https://support.checkpoint.com/results/sk/sk169794

Re: Route Base VPN with Cisco

Exonix — Wed, 13 Sep 2023 07:05:38 GMT

Hello the_rock,

I'm sorry, but your link is about GRE Tunnel, which is not supported in R80.... It was already sent by RS_Daniel

Re: Route Base VPN with Cisco

the_rock — Wed, 13 Sep 2023 11:21:03 GMT

Right, but Im fairly sure its still supported.

Andy

Re: Route Base VPN with Cisco

Exonix — Mon, 18 Sep 2023 08:09:53 GMT

Unfortunately we didn't manage to make work GRE over IPsec on the CP R80.40. We have temporarily installed another server until we upgrade CP to R81

Re: Route Base VPN with Cisco

the_rock — Mon, 18 Sep 2023 11:45:45 GMT

Faitr enough. You may as well go with R81.20, as its recommended and super stable.

Andy