topic Re: VPN community routing not working in Firewall and Security Management

VPN community routing not working

isuckatthis — Wed, 30 Apr 2025 16:21:44 GMT

Hello smarter than I people!

I have a Checkpoint to Checkpoint VPN. We're using a community. The traffic gets to the Checkpoint FW VPN concentrator and is not routed across the VPN.

How do I troubleshoot this?

The encryption domain on the remote side shows the correct subnets.

I've attached images showing the community, logs showing the traffic is not encrypted, a traceroute showing the FW is sending the traffic back to the router then the router back to the FW then the FW back to the router until the end of time (or TTL expires).

I have no idea how to troubleshoot this. Help! 😞

Re: VPN community routing not working

the_rock — Wed, 30 Apr 2025 16:26:17 GMT

How is routing set in vpn community object?

Andy

Re: VPN community routing not working

isuckatthis — Wed, 30 Apr 2025 16:35:53 GMT

Should I see VPN Community encryption domain routes here?

Re: VPN community routing not working

isuckatthis — Wed, 30 Apr 2025 16:41:50 GMT

We've got it configured as a hub and spoke. We're not using any dynamic routing protocols so we have Route Injection Mechanism (RIM) disabled.

Re: VPN community routing not working

the_rock — Wed, 30 Apr 2025 16:40:50 GMT

You should.

Andy

Re: VPN community routing not working

the_rock — Wed, 30 Apr 2025 16:42:55 GMT

Which option applies to you here? center only?

Andy

VPN Routing Options

To center only . No VPN routing actually occurs. Only connections between the satellite gateways and central gateway go through the VPN tunnel. Other connections are routed in the normal way
To center and to other satellites through center . Use VPN routing for connection between satellites. Every packet passing from a satellite gateway to another satellite gateway is routed through the central gateway. Connection between satellite gateways and gateways that do not belong to the community are routed in the normal way.
To center, or through the center to other satellites, to internet and other VPN targets . Use VPN routing for every connection a satellite gateway handles. Packets sent by a satellite gateway pass through the VPN tunnel to the central gateway before being routed to the destination address.

Re: VPN community routing not working

isuckatthis — Wed, 30 Apr 2025 16:43:00 GMT

Looks like we have it configured the same as in your screen shot.

Re: VPN community routing not working

the_rock — Wed, 30 Apr 2025 16:44:03 GMT

Right, but is that correct? I ask because if there is routing supposed to happen through the tunnel, that that setting would be incorrect.

Andy

Re: VPN community routing not working

isuckatthis — Wed, 30 Apr 2025 16:53:39 GMT

Good question and perhaps I'm not understanding your ask. If you're asking dynamic routing protocols, no. We are expecting static routes via the VPN community to handle routing.

I understand that the encryption domain itself handles encryption and routing across the tunnel. Using my original image showing 10.59.78.0/24 within the encryption domain at the remote site, I'm expecting my hub to route the traffic across the tunnel.

Here's a simple diagram of what we're trying to accomplish. The VPN community lists 10.59.78.0/24 on the spoke side. The VPN community lists 10.59.0.0/16 on the hub side.

Re: VPN community routing not working

the_rock — Wed, 30 Apr 2025 16:55:03 GMT

Ok, so option you have is fine, BUT, here is your issue, you have supernet problem. 10.59.0.0/16 definitely contains the other subnet. Make sure below options are set to FALSE in guidbedit, push policy, reset the tunnel and try again.

Andy

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

Re: VPN community routing not working

isuckatthis — Wed, 30 Apr 2025 17:00:07 GMT

Thanks Andy! I feel like we're getting closer now!

Do I understand correctly, the more specific mask network isn't automatically used, like in traditional routing?

I'll take a look at dbedit, I've seen someone use it before to hack their way through a problem. "oh, the firewall isn't doing what I want? Let's change registry settings!" 😆

Fingers crossed! Thanks for all your help so far, I'll be back!

Re: VPN community routing not working

isuckatthis — Wed, 30 Apr 2025 17:12:37 GMT

I found them! Two are true and one is global.

Since these are all "ike" tagged, is there any impact anywhere else within Checkpoint when I change these settings? We have no production VPNs from a checkpoint firewall so if this only affects IKE, I feel confident in changing these settings. If this could impact any other functionality, I don't feel comfortable until I understand the full impact.

The second option talks about being global and not a true or false.

Re: VPN community routing not working

the_rock — Wed, 30 Apr 2025 17:13:30 GMT

Glad we can help you. Btw, not sure how long you been around CP, but in the old days (R77 and before versions), that was big issue for supernet, specially with Cisco.

What I mean by that is say Cisco expects /28 subnet, but CP would always send largest possible, ie min /24 or larger. Thats why folks always had to go to guidbedit and change those values.

In R80 +, thats not really such a huge problem, but I would still verify.

Andy

Re: VPN community routing not working

isuckatthis — Wed, 30 Apr 2025 17:19:43 GMT

I've been around CP for about 4 months. I'm an amateur and hence the name "isuckatthis" 😐

Re: VPN community routing not working

Lesley — Wed, 30 Apr 2025 17:19:54 GMT

The routers sends back the traffic because it is being send out unencrypted.

Routers sees: dst: 10.59.78.2 it would route this back to the fw. It should see the public IP of the remote peer.

Between the public peer IPs you should see ike 500 and ESP traffic. No RFC1918 traffic. Router should only see encrtyped traffic.

So focus on why it is not encrypted. You have checked the remote side encryption domain but also check local side 10.59.78.2 I suspect this host / network is not in local enc domain.

Re: VPN community routing not working

isuckatthis — Wed, 30 Apr 2025 17:22:30 GMT

The source IP of the traffic behind the hub is in the hubs encryption domain object.

Re: VPN community routing not working

the_rock — Wed, 30 Apr 2025 17:25:37 GMT

I would 100% change it to false. I had people change this probably 100+ times before and I had NEVER seen an issue, even when they had multiple vpn communities. Worst thing that could happen is if tunnel did go down, you just reset it and its back up.

R82 mgmt has all those values false by default.

Andy

Re: VPN community routing not working

isuckatthis — Wed, 30 Apr 2025 17:32:35 GMT

Bummer, no dice.

I set all three values to false, pushed policy to both firewalls, bounced the tunnel.

Same behavior. The hub does not forward across the tunnel.

Re: VPN community routing not working

the_rock — Wed, 30 Apr 2025 17:35:33 GMT

That sucks...o well. Okay, question...is tunnel showing up from vpn tu?

Andy

Re: VPN community routing not working

isuckatthis — Wed, 30 Apr 2025 17:39:17 GMT

It is, I have SAs on both FWs