topic Re: Help with Meshed VPN Community and Routing in Firewall and Security Management

Help with Meshed VPN Community and Routing

Chris27 — Tue, 12 Dec 2023 11:33:35 GMT

Hi,

We have two sites (site A and site B) that are linked via a meshed checkpoint community.

Site A has a Juniper site to site VPN which links to out main corporate network. From there we have dedicated links to azure and AWS.

Site A can get access to the AWS/Azure stuff fine as we have a static route pointing the traffic at the SRX.

Site B can't access anything in our AWS/Azure and keeps trying to send it via the internet as the addressing stars with 100.x.x.x

I have tried static routes on the sites B checkpoint but when viewing the logs it is not trying to take the VPN at all.

Any tips would be appreciated as this is an inherited checkpoint that we don't normally deal with.

Thanks

Re: Help with Meshed VPN Community and Routing

PhoneBoy — Fri, 15 Dec 2023 00:21:18 GMT

Version/JHF?
Is this Route-based VPN (using VTIs) or Domain?
Do you manage Site B or is it managed by a third party?

Re: Help with Meshed VPN Community and Routing

Chris27 — Fri, 15 Dec 2023 09:19:35 GMT

Version 80.40 on both.

It looks like VPN Domain/Communities?

We are managing both sites now.

Re: Help with Meshed VPN Community and Routing

JoSec — Fri, 15 Dec 2023 13:49:30 GMT

If you are utilizing a Domain Based VPN, interesting traffic will be defined in your VPN domain object applied to your Checkpoint gateway which you will have to include the IP addresses, subnets, etc,. to make sure the traffic is tunneled via the site to site VPN. You will also have to have your VPN community defined, the appropriate rule to allow the traffic and define in the same rule what VPN community to utilize.