topic Re: Route-based VPN on virtual Systems in Firewall and Security Management

Route-based VPN on virtual Systems

Antonio_M — Tue, 22 Oct 2019 18:41:49 GMT

Hi,

Can we create route-based VPNs on virtual systems? If so, he configuration should be done under the tenant VSX?

Regards.

Re: Route-based VPN on virtual Systems

PhoneBoy — Wed, 23 Oct 2019 03:51:46 GMT

Route-Based VPNs require VTIs, which are not currently supported on VSX.

Re: Route-based VPN on virtual Systems

Antonio_M — Wed, 23 Oct 2019 07:20:38 GMT

Thank you PhoneBoy!

Re: Route-based VPN on virtual Systems

Sanjay_S — Mon, 05 Oct 2020 09:49:42 GMT

Hi PhoneBoy,

Does VSX support the VTIs now? I mean can we configure the Route Based VPNs in VSX now?

In case if we need to setup a VPN between AWS or Azure in Virtual System how can we configure it?

Any suggestions? Thanks in advance.

Re: Route-based VPN on virtual Systems

Chris_Atkinson — Mon, 05 Oct 2020 13:49:25 GMT

R81 will support this for VSX when released.

Re: Route-based VPN on virtual Systems

Paul_Hagyard — Thu, 09 Jun 2022 04:17:15 GMT

sk113840 - How to configure IPsec VPN (non-VTI) tunnel between Check Point Security Gateway and Amazon Web Services VPC using static routes says:

This article describes how to create a single VPN connection between Check Point and Amazon Web Services and is intended to be used in instances where VTIs are not permitted, such as the 61000 platform or VSX.

Keep in mind that VTI is important for redundancy and flexibility with AWS hosting. As the 61000 platform and VSX do not support VTIs, a single working tunnel can be created using this method, but is not a recommended configuration. Two separate tunnels will need to be created to Amazon Web Services, and any failover between the two tunnels must be done manually.

Re: Route-based VPN on virtual Systems

Chris_Atkinson — Thu, 09 Jun 2022 06:01:08 GMT

Hi Paul,

This limitation for VSX was addressed starting R81 per sk79700.

Re: Route-based VPN on virtual Systems

Paul_Hagyard — Thu, 09 Jun 2022 07:24:20 GMT

Hi Chris,

I'm aware that it's resolved in R81, I was replying to Sanjay_S who was asking how to configure AWS VPN connectivity on older versions of VSX without support for VTIs - in case someone else had the same question.

Paul

Re: Route-based VPN on virtual Systems

Paul_Hagyard — Mon, 08 Aug 2022 02:02:35 GMT

Except that with further investigation:

The vsx_provisioning_tool command for adding a VTI does not appear to support setting the MTU which is vastly preferable to trying to configure VPN MSS clamping.
There's no mechanism for routes on VSX to use ping tracking. Which means resilient connectivity to AWS would require BGP.

All the more reason to avoid deploying VSX!

Re: Route-based VPN on virtual Systems

Chris_Atkinson — Mon, 08 Aug 2022 04:18:56 GMT

AWS recommends BGP for the VPN where available.

MSS clamping works just fine, architecturally it probably has fewer draw backs if your VS is dedicated to the VPN i.e.

Set fw_clamp_vpn_mss=1 to $FWDIR/boot/modules/fwkern.conf
Set sim_clamp_vpn_mss=1 to $PPKDIR/conf/simkern.conf (new file)
Set mss_value to 13XX for <TRANSIT_IF_NAME> in guidbedit for VS
Set MTU to 14XX on <TRANSIT_IF_NAME> for VS in SmartConsole