topic Re: Routing between VPNs in Firewall and Security Management

Routing between VPNs

dhueber — Thu, 02 Jul 2020 13:37:27 GMT

Dear all,

I need your advice about a VPN routing challenge we have.

As part of the different VON communities we have, we have the following 2 ones:

[Office A - Gaia 80.30] <------ S2S Meshed VPN Community ------> [Data Center - Gaia 77.30]
[Data Center - Gaia 77.30] <----- S2S Meshed VPN Community -----> [AWS Cloud]

Now we would like to allow users in the Office A to connect to instances in AWS.
Therefore we would need to route the AWS Network through the 1st community to our Data Center and then through the 2nd one to AWS.

We tried to add a IPv4 static routing in the Checkpoint of the Office A to the IP of the one in our Data Center but the traffic is not routed through the community.

I saw several post talking about editing conf file on the router or using some R80 features but there was so many variant that I'm unsure what we should do. Another solution we think about would be to merge both community in a star one.

So any advice on how to get this working is welcome 🙂

Many thanks

Re: Routing between VPNs

HeikoAnkenbrand — Thu, 02 Jul 2020 19:41:45 GMT

Hi @dhueber,

Use a star community.

For more granular control over VPN routing, edit the vpn_route.conf file in the $FWDIR/conf/ directory of the Data Center SMS:

[Office A - Gaia 80.30] <-- S2S Star VPN Community ---> [Data Center - Gaia 77.30] <--S2S Star VPN Community---> [AWS Cloud]

Consider a simple VPN routing scenario consisting of Hub and two Spokes. All machines are controlled from the same Security Management Server, and all the Security Gateways are members of the same VPN community. Only Telnet and FTP services are to be encrypted between the Spokes and routed through the Hub:

Alhough this could be done easily by configuring a VPN star community, the same goal can be achieved by editing vpn_route.conf:

Destination Next Hop router interface Install on

Spoke [Office A - Gaia 80.30] Hub [Data Center - Gaia 77.30] Spoke [AWS Cloud]
Spoke [AWS Cloud] Hub [Data Center - Gaia 77.30] Spoke [Office A - Gaia 80.30]

And enable VPN routiong to center and to other satellites through center (same on R77.30):

PS:
R77.30 is since approximately one year out of support:-)

Re: Routing between VPNs

Wolfgang — Thu, 02 Jul 2020 19:39:44 GMT

@dhueber

migrating to one community with your datacenter as Center and officeA and AWS as satellites would be the best solution.

Then you have to enable VPN routing on the community and everything should work.

In your described environment with two communities you can configure VPN routing via vpn_route.conf file.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69726
It‘s written for an SmartLSM environment but the solution is the same for you.

Have a look at the documentation Configuration in the VPN Configuration File

Wolfgang

Re: Routing between VPNs

Wolfgang — Thu, 02 Jul 2020 19:42:00 GMT

I see, @HeikoAnkenbrand sent an answer a little bit earlier then me.

😀

Re: Routing between VPNs

HeikoAnkenbrand — Thu, 02 Jul 2020 19:46:43 GMT

Hi @Wolfgang,

2 seconds faster 😀.

Best Regards
Heiko

Re: Routing between VPNs

Wolfgang — Thu, 02 Jul 2020 19:54:12 GMT

Congratulations @HeikoAnkenbrand you’re the winner today 😂
And we could help @dhueber with a solution.

Wolfgang

Re: Routing between VPNs

dhueber — Mon, 06 Jul 2020 13:04:55 GMT

Hi Heiko,

thanks for the reply and feedback. This is what we thought.
Won't be the easiest solution to recreate all our VPNs but we will have to go through this process.

Many thanks for taking time to answer

Re: Routing between VPNs

RS_Daniel — Thu, 01 Oct 2020 00:57:54 GMT

Hello Heiko/Wolgagn,

I had a similar scenario and hoped you could help with a doubt. Our scenario is the same but instead of [AWS cloud] we have a third party Gateway. So in this case i think vpn_route.conf does not apply because it is not possible to define the third party in the "install on" column of the file. I was wondering how to address this. My first option was to migrate to a star community as you described before, but i am not sure if the option "To center and to other satellites trough center" will work with the third party gateway (i think it won't). So if you have any idea to get the same goal with the third party, it would be appreciated. Thanks in advance.

Re: Routing between VPNs

Wolfgang — Thu, 01 Oct 2020 05:09:27 GMT

@RS_Daniel

vpn routing with third party gateway via star community will be possible.

Wolfgang

Re: Routing between VPNs

alysiakee — Fri, 30 Oct 2020 08:44:32 GMT

Thanks very much for that information.

Re: Routing between VPNs

nicktran — Tue, 05 Jan 2021 03:22:08 GMT

The issue is when you define the vpn_route.conf file, the install_on column must be the gateway object. I define my remote fw which is Fortinet is Interoperable Device. Below is the issue come out when I tried to install the policy.

reading vpn_route.conf: install on gw object is not a firewall (fortinetfw.fortiddns.com)

Do you know how to sort it out ?

Re: Routing between VPNs

Ara_Zohrabian — Thu, 22 Apr 2021 12:33:48 GMT

Hi, i have the same issue with vpn_route.conf. Did you find a solution?

Thanks

Re: Routing between VPNs

Ara_Zohrabian — Thu, 22 Apr 2021 12:37:19 GMT

Hi, i have the same issue with vpn_route.conf. Did you find a solution.

Thanks