issues with VPN directional match conditioin

albertcuy — Thu, 03 Jun 2021 02:40:55 GMT

Good day,

i am trying to set up a site-to-site VPN with AWS. i have already followed the instructions generated by AWS with regard to configuring the Checkpoint side. i have created the necessary VPN tunnel interfaces, interoperable devices, etc.

i have set up awsvpn VPN Community, and set our Checkpoint gateway as central gateway, and the defined interoperable device as satellite gateways.

i have set up security policy rules for the subnets in question, and have set up Directional Matching conditions as follows:

Internal_clear -> awsvpn

awsvpn -> awsvpn

awsvpn -> Internal_clear

On the AWS side, the vpn tunnel is reported to be Available.

i can see tunnel_traffic going back and forth from AWS and our Checkpoint gateway.

Despite all that, traffic coming from our onprem subnet is still being blocked despite the defined rules.

Removing the Directional Match Conditions seems to fix the blocking issue, and i can see packets being allowed through...but end result is both ends still cannot reach the other side.

Any suggestions on where i should check? Any help would be much appreciated. Thank you.

Re: issues with VPN directional match conditioin

PhoneBoy — Sat, 05 Jun 2021 03:22:59 GMT

You need to use Route-Based VPNs with an AWS endpoint.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108958
More details about what exactly you configured and how you observed the failed behavior would be helpful.

topic Re: issues with VPN directional match conditioin in General Topics

issues with VPN directional match conditioin

Re: issues with VPN directional match conditioin