https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204454#M38557 <P>Not sure I'm following you,</P><P>&nbsp;</P><P>but the empty encdom is on the target peer, as Bob Zimmerman mentions.<BR /><BR />Also Remote Access encdom can be separate to global S2S encdom.</P><P>You also have encdoms per community available to you:</P><P><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/MicroContent/Resources/MicroContent/MicroContent_VPNSG/EDPC/encryption-domain-per-community.htm" target="_blank">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/MicroContent/Resources/MicroContent/MicroContent_VPNSG/EDPC/encryption-domain-per-community.htm</A></P> Mon, 29 Jan 2024 16:31:08 GMT Machine_Head 2024-01-29T16:31:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204444#M38552 <P>Hi guys,</P><P>we have remote location where we finish our remote access VPN. So there is an VPN community already populated and configured with IPs (hosts and networks).&nbsp;</P><P>Now we would like to configure an Route based VPN, and one of the steps to configure S2S route based VPN is to configure an Empty VPN domain and set this empty VPN domain as default choice.&nbsp;<A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/VPN-Tunnel-Interfaces.htm?tocpath=Network%20Management%7CNetwork%20Interfaces%7C_____8" target="_blank">VPN Tunnel Interfaces (checkpoint.com)</A></P><P>But I cannot set an empty VPN domain there as we are already using an domain for Remote Access VPN.</P><P>&nbsp;</P><P>What is a correct solution for our case?</P> Mon, 29 Jan 2024 14:39:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204444#M38552 adamec 2024-01-29T14:39:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204449#M38553 <P>I have not configured a route-based VPN before, but if the perquisite is an empty VPN domain, I would like to think you can accomplish that using the granular VPN domain feature in R80.40+. Once you add the gateway into the VPN community, you should have the option to edit it to a user-defined group on the gateway page.</P> Mon, 29 Jan 2024 15:19:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204449#M38553 CaseyB 2024-01-29T15:19:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204450#M38554 <P>What version are you on?</P> <P>Andy</P> Mon, 29 Jan 2024 15:23:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204450#M38554 the_rock 2024-01-29T15:23:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204451#M38555 <P>Route-based VPNs only require one end to have an empty encryption domain. Just set the peer's to an empty group.</P> Mon, 29 Jan 2024 15:42:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204451#M38555 Bob_Zimmerman 2024-01-29T15:42:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204452#M38556 <P>I would not quite agree with that statement fully. We had case with TAC for probably 2 months in 2021 and no matter what we tried and advice we were given, VPN would never work with just as an empty group on azure interoperable object and actual VPN domain group on cluster end.</P> <P>After so many hours of troubleshooting and who knows how many sessions, we ended up setting cluster enc domain to empty group as well and got all 5 tunnels working just fine, never had an issue since.</P> <P>Best,</P> <P>Andy</P> Mon, 29 Jan 2024 15:57:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204452#M38556 the_rock 2024-01-29T15:57:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204454#M38557 <P>Not sure I'm following you,</P><P>&nbsp;</P><P>but the empty encdom is on the target peer, as Bob Zimmerman mentions.<BR /><BR />Also Remote Access encdom can be separate to global S2S encdom.</P><P>You also have encdoms per community available to you:</P><P><A href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/MicroContent/Resources/MicroContent/MicroContent_VPNSG/EDPC/encryption-domain-per-community.htm" target="_blank">https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/MicroContent/Resources/MicroContent/MicroContent_VPNSG/EDPC/encryption-domain-per-community.htm</A></P> Mon, 29 Jan 2024 16:31:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204454#M38557 Machine_Head 2024-01-29T16:31:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204455#M38558 <P>Not sure what to tell you. It definitely only needs one encryption domain to be empty. It worked that way when I wrote DTAC's troubleshooting guide for route-based VPNs with R60, and I have some VPNs working that way right now.</P> Mon, 29 Jan 2024 16:44:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204455#M38558 Bob_Zimmerman 2024-01-29T16:44:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204456#M38559 <P>I know, I was quite surprised myself as well. But, at the end of the day, it works, so not too worried about it : - )</P> <P>Andy</P> Mon, 29 Jan 2024 16:48:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204456#M38559 the_rock 2024-01-29T16:48:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204458#M38560 <P>Not so sure Im following either lol</P> <P>Here is my question. Are you not able to change it as per below screenshot?</P> <P>Best,</P> <P>Andy</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/24289iC18834F6BDF4687D/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> <P> </P> Mon, 29 Jan 2024 17:48:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204458#M38560 the_rock 2024-01-29T17:48:57Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204504#M38575 <P>We are on 81.10</P> Tue, 30 Jan 2024 08:49:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204504#M38575 adamec 2024-01-30T08:49:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204505#M38576 <P>Yes we did set it like on the screenshot but we haven't finished the VPN configuration yet. I will keep you updated</P> Tue, 30 Jan 2024 08:51:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204505#M38576 adamec 2024-01-30T08:51:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204544#M38578 <P>Sure thing mate.</P> <P>Best,</P> <P>Andy</P> Tue, 30 Jan 2024 13:00:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204544#M38578 the_rock 2024-01-30T13:00:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204552#M38579 <P>Okay it looks like encryption domains and communities work correctly like on the screenshot.</P><P><span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span> but somehow CheckPoint did break our network. We set route based vpn with vti of lowest possible priority as a backup route to our MPLS. checkpoint started sending traffic via newly created vti.</P><P>We are troubleshooting the issue. But your solution works. something else broke up the network</P> Tue, 30 Jan 2024 13:24:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204552#M38579 adamec 2024-01-30T13:24:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204553#M38580 <P>Well, as long as it works mate, Im happy : - )</P> <P>Best,</P> <P>Andy</P> Tue, 30 Jan 2024 13:26:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/route-based-VPN-with-remote-access-vpn/m-p/204553#M38580 the_rock 2024-01-30T13:26:02Z