topic Re: VSX VTI with static routes in Firewall and Security Management

VSX VTI with static routes

stallwoodj — Fri, 13 Oct 2023 16:41:03 GMT

Hi,

Are there any plans to enable static routing for VTI's in VSX?

I've created the VTI as per the manual (R81.10 manager and gateway), and got the interface in topology. However it doesn't add a route for the peer IP into the table, which means that any static routes via peer IP are unresolvable and thus rejected.

Ideally we'd have unnumbered tunnels and routing with interface next-hops, but that's still not supported either 😞

Thanks

Jamie

Re: VSX VTI with static routes

PhoneBoy — Fri, 13 Oct 2023 20:32:15 GMT

I don't believe this is unsupported...otherwise, this thread would not have happened: https://community.checkpoint.com/t5/Security-Gateways/Routing-not-working-towards-VTI/m-p/121522#M17310

I would check with the TAC: https://help.checkpoint.com

Re: VSX VTI with static routes

Chris_Atkinson — Fri, 13 Oct 2023 23:54:27 GMT

R81 introduced VTI support for VSX but only with dynamic routing to my knowledge.

"Configure Dynamic Routing VPN through Virtual Tunnel Interface (VTI) in VSX mode."

Maybe post R82 but please check it with your local SE who can raise any needed RFEs.

Re: VSX VTI with static routes

stallwoodj — Thu, 19 Oct 2023 16:25:09 GMT

As it happens it turned out when I ran the vsx_util to create the VTI, it allowed me to use the same IP for BOTH ends of the numbered tunnel, without an error being thrown up either on the tool or in the vFW network topology!

When I deleted and re-added the tunnel with the correct IP's a /32 route for the remote IP was injected into the VSX routing, with static routes to the remote IP appearing to be accepted (though I didn't confirm they actually did work).