topic Re: VPN Routing between VPNS - multiple hub and spokes in Smart-1 Cloud in General Topics

VPN Routing between VPNS - multiple hub and spokes in Smart-1 Cloud

SCSupport — Fri, 28 Jul 2023 10:48:41 GMT

Hello all,

Have a unique consideration that I am wondering if anyone has anything creative.

I have a situation where within one management server in Smart-1 Cloud, I have a design where there are multiple hub and spokes, and many VPN's need to route via the gateway to get to other VPNS.

Examples are:

Remote access -> GW VA -> S2S VPN to Branch A

Remote access -> GW VA -> Branch B

Remote access -> GW ID -> Branch A

etc etc.

The obvious issue is that you can only enable VPN routing option ' and to other VPN targets' on 1 community, so only 1 of the above examples works.

I believe to do this you have to use vpn_route.conf. Thats fine, but how do you do this with Smart-1 Cloud?

Any suggestions if:

a) vpn_route.conf will solve this issue

b) if yes, any tips to getting this applied?

Up for creative ideas on also how this could work apart from suggestions to use a jump box unfortunately 😞

Thanks all 😄

Re: VPN Routing between VPNS - multiple hub and spokes in Smart-1 Cloud

SCSupport — Fri, 28 Jul 2023 12:00:07 GMT

Adding the topology below simplified.

Spoken to TAC who have so far just suggested to add all the remote networks into the ENC domain of the RA community - which wont work on its own as we know.

Re: VPN Routing between VPNS - multiple hub and spokes in Smart-1 Cloud

the_rock — Fri, 28 Jul 2023 12:39:49 GMT

You can follow below:

https://community.checkpoint.com/t5/Security-Gateways/Routing-between-VPNs/td-p/90408

https://support.checkpoint.com/results/sk/sk26993

As far as modifying that file on S1C, thats no go, as ONLY .def files can be modified, as per below, so you need to get in touch with TAC to have them make desired change.

Andy

Re: VPN Routing between VPNS - multiple hub and spokes in Smart-1 Cloud

SCSupport — Fri, 28 Jul 2023 13:03:44 GMT

Hey,

Thanks for the response.

Would you agree that vpn_route is the way to go about this to make this work?

If so - I will chase TAC on this.

Re: VPN Routing between VPNS - multiple hub and spokes in Smart-1 Cloud

the_rock — Fri, 28 Jul 2023 13:04:28 GMT

Yes AND yes : - )

Andy

Re: VPN Routing between VPNS - multiple hub and spokes in Smart-1 Cloud

the_rock — Fri, 28 Jul 2023 13:07:22 GMT

The only other possible way to make this work without modifying that file that I can see is if you had ALL "affected" gateways in the same star community. If that were the case, then you could easily utilize vpn routing options.

Andy

Re: VPN Routing between VPNS - multiple hub and spokes in Smart-1 Cloud

SCSupport — Fri, 28 Jul 2023 13:14:30 GMT

I think I tried this but I didnt seem to work. Not sure why. I presume you mean in relation to my topology above, VPN A and B would be in the same Star community, both as satellites and VPN routing option obviously ticked to 'and to other VPN targets' on that community.

In theory then, you should be able to route from remote access to BOTH VPNs as they are part of the same star, right?

Re: VPN Routing between VPNS - multiple hub and spokes in Smart-1 Cloud

the_rock — Fri, 28 Jul 2023 13:25:48 GMT

Be free to message me offline, happy to do remote if you want. And yes, the way you described works, I had done it before. This was possible ages ago, so version you are on is totally irrelevant.

Andy

Re: VPN Routing between VPNS - multiple hub and spokes in Smart-1 Cloud

SCSupport — Fri, 28 Jul 2023 15:09:31 GMT

You are correct. Fully working - no issues at all!

Just typically had attempted this at midnight last time and forgotten NAT rules etc.

Perfect - great solution and the ONLY solution if you are using S1C.

Legend - have a great weekend.

Re: VPN Routing between VPNS - multiple hub and spokes in Smart-1 Cloud

the_rock — Fri, 28 Jul 2023 15:15:56 GMT

Legend, thats what SHE said -:)

Just kidding, no one ever said that 😂😂

Anywho, happy we could help!

Have a nice weekend mate.

Cheers,

Andy