https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232665#M44953 <P>Hello Friends,</P><P>I got situation here and Im stucked.&nbsp;</P><P>We are talking about r81.20 VSX 26k SG.&nbsp;</P><P>I can set eBGP between external router and a Vsys. Vsys can announce own routes and receive routes from external router. But how I can send to external Router a route to a subnet reachead only by vpn domain based?</P><P>How I can announce to BGP a (route) vpn domain based ?</P><P>The VPN domain based doesnt have routes on the FIB, under # route -n or #ip route show we only can see static routes.</P><P>Is there anyway to&nbsp;accomplish this?</P><P>&nbsp;</P><P> Tks a lot,</P><P>Victor C</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2024-11-13_18-41.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/28457iC92F3A376281EC97/image-size/medium?v=v2&amp;px=400" role="button" title="2024-11-13_18-41.png" alt="2024-11-13_18-41.png" /></span></P><P>&nbsp;</P><DIV class="">&nbsp;</DIV><P>&nbsp;</P><P><BR /><BR />&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 13 Nov 2024 21:43:50 GMT victor_cortez 2024-11-13T21:43:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232665#M44953 <P>Hello Friends,</P><P>I got situation here and Im stucked.&nbsp;</P><P>We are talking about r81.20 VSX 26k SG.&nbsp;</P><P>I can set eBGP between external router and a Vsys. Vsys can announce own routes and receive routes from external router. But how I can send to external Router a route to a subnet reachead only by vpn domain based?</P><P>How I can announce to BGP a (route) vpn domain based ?</P><P>The VPN domain based doesnt have routes on the FIB, under # route -n or #ip route show we only can see static routes.</P><P>Is there anyway to&nbsp;accomplish this?</P><P>&nbsp;</P><P> Tks a lot,</P><P>Victor C</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2024-11-13_18-41.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/28457iC92F3A376281EC97/image-size/medium?v=v2&amp;px=400" role="button" title="2024-11-13_18-41.png" alt="2024-11-13_18-41.png" /></span></P><P>&nbsp;</P><DIV class="">&nbsp;</DIV><P>&nbsp;</P><P><BR /><BR />&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 13 Nov 2024 21:43:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232665#M44953 victor_cortez 2024-11-13T21:43:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232667#M44954 <P>You need to use RIM feature for domain based VPN. Once RIM is activated, you will get content of VPN encryption domain of remote VPN peer as <STRONG>kernel routes. </STRONG>These kernel routes can be propagated over BGP.</P> <P>More info about RIM feature can be found in <A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Content/Topics-VPNSG/Route-Injection-Mechanism.htm" target="_blank" rel="noopener">R81.20 Site to Site VPN Administration Guide</A>.</P> Wed, 13 Nov 2024 22:38:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232667#M44954 JozkoMrkvicka 2024-11-13T22:38:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232674#M44958 <P>I agree 100% with&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1702">@JozkoMrkvicka</a>&nbsp;. All this would be much easier with route based tunnel, as you could just use unnumbered VTIs for BGP. But, for domain based, yes, RIM mechanism seems your best option.</P> <P>Andy</P> Thu, 14 Nov 2024 02:54:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232674#M44958 the_rock 2024-11-14T02:54:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232676#M44959 <P>Hello Josko,</P><P>Im reading about RIM and sounds like exaclty what I need. Just to confirm, RIM works fine with VSX, correct?</P><P>&nbsp;</P><P>Tks,</P><P>Victor C</P> Thu, 14 Nov 2024 03:48:18 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232676#M44959 victor_cortez 2024-11-14T03:48:18Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232677#M44960 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/48056">@victor_cortez</a>&nbsp;yes, RIM is working with VSX, no limitation seen in&nbsp;<A href="https://support.checkpoint.com/results/sk/sk79700" target="_blank">sk79700 - VSNext / VSX supported features</A></P> Thu, 14 Nov 2024 05:56:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232677#M44960 Wolfgang 2024-11-14T05:56:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232704#M44973 <P>Yes, it does, no issues there.</P> Thu, 14 Nov 2024 11:34:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232704#M44973 the_rock 2024-11-14T11:34:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232774#M44988 <P>Hello,</P><P>Im looking here and got stucked once more.<BR /><BR />situation 1 - for Vsys XYZ the vpn ipsec we are not defining the subnets in the community, all traffic should go to the tunnel. So in the "interopable device" - topology - group properties - in group - there is only the public Ip of the peer itself.&nbsp;<BR /><BR />If im not defining the subnets in the community RIM will work?<BR /><BR />1 - I understand is RIM only works as the expected if subnets are defined in the VPN Community.</P><P>2 - RIM doesnt work if customized crypt.def and user.defl files.&nbsp;</P><P>&nbsp;</P><P>What you guys think about this?</P><P>Tks,</P><P>Victor</P> Thu, 14 Nov 2024 17:30:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232774#M44988 victor_cortez 2024-11-14T17:30:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232775#M44989 <P>I believe so as well.</P> <P>1-yes</P> <P>2-correct</P> <P>Andy</P> Thu, 14 Nov 2024 17:33:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232775#M44989 the_rock 2024-11-14T17:33:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232797#M44994 <P>For 1.</P> <P>- yes, the definition of an encryption domain is necessary&nbsp;</P> <P>- you can define an encryption domain for all networks as an example with a range „0.0.0.0 - 254.254.254.254“</P> <P>For 2.</P> <P>- as&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/38213">@the_rock</a>&nbsp;Andy wrote, entries from these special files are ignored.&nbsp;<BR />- but with the newer releases you can define separate encryption domains for differente VPN communities within SmartConsole, this was the most common use case for changing user.def (I don‘t know which changes you did, but maybe that‘s it)</P> Thu, 14 Nov 2024 20:44:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Vpn-domain-based-and-eBGP-VSX/m-p/232797#M44994 Wolfgang 2024-11-14T20:44:11Z