topic Re: VPN in General Topics

VPN

michaelsharet — Thu, 19 Oct 2023 13:20:01 GMT

Hello everyone!
I need your help...

I have 3 different FW clusters on my network, on different sites, let's call them:

Cluster 1 at site 1 (holds network A)

Cluster 2 at site 2 (holds network B)

Cluster 3 at site 3 (holds network C)

while each of them is responsible for a network:

10.0.0.0/24 Network A

20.0.0.0/24 Network B

30.0.0.0/24 Network C

I point out that in each of the sites where there is a cluster, the FW also has legs for the benefit of the other networks, for users of these networks who are on these sites.

In addition to this I have several small satellite sites where there are users who will connect to any of my networks.

I created 3 VPN Community between the relevant satellite sites and the clusters in a star configuration, for the benefit of each of the networks.

That is, I have 3 VPN Communities, each of which has a different cluster that is defined as a Center and a number of small FWs that are defined as satellites.

The sites themselves have an encryption domain that contains all the networks that exist on the site.

This is my existing situation, now I will explain the problem...

When I am at a satellite site sending a ping from a computer located on network A to a computer at another satellite site on the same network (A), I expect the traffic to go through cluster 1 that holds network A, and from there to the other satellite site.

What actually happens is that when I send a ping from one satellite site on network A to another site on network A, I recognize that the traffic goes through cluster 2, for example, which serves as a center for VPN Community that is not relevant to network A.

I saw that there is an option to define in the Rule itself which VPN it will be associated with, I tried it and the situation did not change.

Is this the normal situation?
If this is not a normal situation, what do I need to change / specify in order for it to be resolved?

I would appreciate your advice

Re: VPN

PhoneBoy — Thu, 19 Oct 2023 20:35:41 GMT

Version/JHF in use?
All clusters are managed by the same management?
Not sure why you need three different VPN communities here when a single one should suffice.

Re: VPN

michaelsharet — Sun, 22 Oct 2023 06:50:05 GMT

Hi good morning,
All managed through one management in version R81.10
My clusters are version 81, and various versions of GHF.

Could you explain to me in more detail why 3 different VPNs for my case are not necessary, and why it is better to make one?

I mention again, I have 3 different networks that I want full partitioning.

Thank you very much for your response

Re: VPN

G_W_Albrecht — Sun, 22 Oct 2023 09:49:58 GMT

Because it is only more work but no better result. See https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Content/Topics-VPNSG/Check-Point-VPN.htm?tocpath=Check%20Point%20VPN%7C_____0#Check_Point_VPN

Re: VPN

michaelsharet — Sun, 22 Oct 2023 11:35:11 GMT

So if I understand you correctly, I need to create one VPN C in which I have the 3 clusters in the center and all the other small remote sites in the satellites? And this way I get the same result as I have today?

And what about my question is it supposed to work like this? Every small website when looking for a certain network should not go directly to the cluster that owns that network?

What you are proposing is only an "improvement" of the situation I have today... I want to understand if it is normal and how it can be adjusted if not

Re: VPN

the_rock — Sun, 22 Oct 2023 18:20:15 GMT

This is what you need to do. Create ONE star community, with clusters as center gateways, others as satellite and adjust below.

Andy

To center only . No VPN routing actually occurs. Only connections between the satellite gateways and central gateway go through the VPN tunnel. Other connections are routed in the normal way
To center and to other satellites through center . Use VPN routing for connection between satellites. Every packet passing from a satellite gateway to another satellite gateway is routed through the central gateway. Connection between satellite gateways and gateways that do not belong to the community are routed in the normal way.
To center, or through the center to other satellites, to internet and other VPN targets . Use VPN routing for every connection a satellite gateway handles. Packets sent by a satellite gateway pass through the VPN tunnel to the central gateway before being routed to the destination address.

Re: VPN

PhoneBoy — Mon, 23 Oct 2023 17:32:16 GMT

I believe it is your current configuration that is causing the behavior you're seeing.
It should disappear when you move to a single VPN Community (properly configured of course).

Re: VPN

G_W_Albrecht — Tue, 24 Oct 2023 07:23:36 GMT

I do not understand your questions as they are covered in referenced admin guide. Did you study the Admin guide well ? https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Con...