topic Re: Site-to-Site VPN - Star VPN Routing Question in Firewall and Security Management

Site-to-Site VPN - Star VPN Routing Question

HansKazan — Sat, 13 Apr 2024 21:32:51 GMT

Hello CheckMates

I would like to request some clarification regarding the Star VPN Routing option "To center or through the center to other satellites, to Internet and other VPN targets" (3rd option). When I have the option enabled, it becomes possible for all Center Networks, even the ones not part of the Center-EncDom on the Center Gateway to reach all Satellite EncDom Networks. It will match the ACL and enter the VPN Tunnel, when to my current understanding it is not meant to. Could anyone please clarify as to why this is?

See a small summary of my configuration below, all devices are OpenServers running R81.20 with JHF 53.

Center Encryption Domain: 172.16.1.0/24

Satellite Encryption Domain: 192.168.1.0/24

Center Hosts

PC-A - 172.16.1.1 (part of Center-EncDom)

PC-C - 10.10.2.10

Satellite Host

PC-B - 192.168.1.1 (part of Satellite-EncDom)

Ping Result

PC-A -> PC-B reachable, enters VPN-Tunnel

PC-A -> PC-C reachable local site

PC-B -> PC-A reachable, enters VPN-Tunnel

PC-B -> PC-C unreachable

PC-C -> PC-A reachable local site

PC-C -> PC-B reachable, enters VPN-Tunnel (matches ACL, but does not match EncDom)

When enabling the 2nd option "To center and to other satellites through center", it works as I intend for it to work. Meaning that PC-C traffic towards PC-B no longer enters the VPN tunnel, gets accepted by the ACL rule and routed into the void. See a ghetto paint version for a topology below.

Thank you for any and all comments that would help me better understand the VPN product!

Re: Site-to-Site VPN - Star VPN Routing Question

the_rock — Sun, 14 Apr 2024 23:41:13 GMT

This is an official explanation of how those settings work.

Andy

VPN Routing Options

To center only . No VPN routing actually occurs. Only connections between the satellite gateways and central gateway go through the VPN tunnel. Other connections are routed in the normal way
To center and to other satellites through center . Use VPN routing for connection between satellites. Every packet passing from a satellite gateway to another satellite gateway is routed through the central gateway. Connection between satellite gateways and gateways that do not belong to the community are routed in the normal way.
To center, or through the center to other satellites, to internet and other VPN targets . Use VPN routing for every connection a satellite gateway handles. Packets sent by a satellite gateway pass through the VPN tunnel to the central gateway before being routed to the destination address.

Re: Site-to-Site VPN - Star VPN Routing Question

G_W_Albrecht — Mon, 15 Apr 2024 07:12:14 GMT

Then why not stay with the second option ?

Re: Site-to-Site VPN - Star VPN Routing Question

HansKazan — Mon, 15 Apr 2024 09:16:38 GMT

Thank you for the official explanation. However, PC-C is a part of the Center GW, not defined in the Encryption Domain that is able to reach PC-B, which is a satellite host part of the Satellite Encryption Domain. When I read this original explanation my assumption was that it would be the case that all traffic sent by the satellite gateway would be encrypted, yet it is the Center gateway that initiates this connection. Hence my question.

Am I then to assume that this will then apply for both Center and Satellite connections to be forced to cross that VPN Tunnel when an ACL is matched?

Thank you for your time!

Re: Site-to-Site VPN - Star VPN Routing Question

PhoneBoy — Mon, 15 Apr 2024 15:38:31 GMT

"To center, or through the center to other satellites, to internet and other VPN targets" means route ALL traffic through Center gateways (e.g. Internet-bound traffic or traffic to other VPN gateways).
It's acting as expected.