topic Re: Site to Site VPN(Route Based) between two clusters in General Topics

Site to Site VPN(Route Based) between two clusters

speedbot33 — Wed, 04 Sep 2024 22:10:04 GMT

Hello,

Currently trying to bring up a route based S2S VPN between my two sites which each has 2 GW in ClusterXL each and if it's possible your help on confirming this design.

This is based on this reference, but it kinda threw me off:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Gaia_AdminGuide/Content/Topics-GAG/VPN-Tunnel-Interfaces.htm

Also, I'm planning to use static routes, not dynamic routing. So, what's the next hop supposed to be?

I've attached a HLD for a better view of I think I'm supposed to configure.

PS: I've already configured VPN Community and a VPN Domain with an Empty Group as required.

Thanks!

Re: Site to Site VPN(Route Based) between two clusters

the_rock — Thu, 05 Sep 2024 00:27:35 GMT

So what exactly is failing? Do you see phase 1 and 2 completing?

Andy

Re: Site to Site VPN(Route Based) between two clusters

speedbot33 — Thu, 05 Sep 2024 01:32:06 GMT

Nothing is failing since I haven't completed the config. My question is specifically regarding the VTIs when GWs are clustered. Please see the attached HLD.

ClusterA ClusterB

Gw1>>>>>>>>>>Gw1

Gw2>>>>>>>>>>Gw2

Re: Site to Site VPN(Route Based) between two clusters

the_rock — Thu, 05 Sep 2024 01:34:30 GMT

Ok, got it. Check out my post below about how this should be configured, though its with Azuire, its similar.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExTTjlYV1FXMUlGQVNMfDIwNjE3OXxTVUJTQ1JJUFRJT05TfGhL#M38950

If still not clear, let me know.

Re: Site to Site VPN(Route Based) between two clusters

speedbot33 — Thu, 05 Sep 2024 14:48:00 GMT

Tnks! The way I see it based on the data you provided:

-Use STAR community instead of Mesh(what I have configured, I figured since they're two clusters P2P ) - What about the whole Center/Hub - spoke thing in STAR? Will that have any impact?
-Use unnumbered VTIs
-Static routes pointing towards external intf.

Re: Site to Site VPN(Route Based) between two clusters

the_rock — Thu, 05 Sep 2024 15:16:09 GMT

1) Thats right, star is fine, no it should not have any impact

2) You can use unnumbered VTIs, though I found thats probably more must if you use BGP, but even if you dont, its fine, just dont "freak out" when you see vti pop up with SAME ip as external, thats totally fine and expected, as it would "piggy off" that interface

3) Yes, BUT, make sure when you create a route it points to REMOTE subnet and dg is actual VTI

I mentioned all this in post I made I referenced to.

Andy

Re: Site to Site VPN(Route Based) between two clusters

speedbot33 — Thu, 05 Sep 2024 15:40:39 GMT

Got it! And about which one should be center and satellite? What's the best practice?, no SK mentions that!

Also, tunnel management and VPN routing?

I keep thinking that having two clusters on each site it is somewhat different than with a 'cloud based' peer lol!

Based on your worddoc, you placed AZURE as satellite, but in my case, again two clusters managed by the same SMS.

Re: Site to Site VPN(Route Based) between two clusters

the_rock — Thu, 05 Sep 2024 16:01:19 GMT

I guess in your case it should not matter, honestly...either one can be centre. VPN routing? Well, are you doing any?

Below is description of those options.

Andy

To center only . No VPN routing actually occurs. Only connections between the satellite gateways and central gateway go through the VPN tunnel. Other connections are routed in the normal way
To center and to other satellites through center . Use VPN routing for connection between satellites. Every packet passing from a satellite gateway to another satellite gateway is routed through the central gateway. Connection between satellite gateways and gateways that do not belong to the community are routed in the normal way.
To center, or through the center to other satellites, to internet and other VPN targets . Use VPN routing for every connection a satellite gateway handles. Packets sent by a satellite gateway pass through the VPN tunnel to the central gateway before being routed to the destination address.

Re: Site to Site VPN(Route Based) between two clusters

the_rock — Thu, 05 Sep 2024 16:22:06 GMT

@speedbot33 Ping me any time privately if you need help, I respond to all messages.

Andy

Re: Site to Site VPN(Route Based) between two clusters

speedbot33 — Thu, 05 Sep 2024 16:25:34 GMT

Thanks a lot Andy! I will take you up on that! let me give it a go with what I've gathered so far and let you know.

Re: Site to Site VPN(Route Based) between two clusters

the_rock — Thu, 05 Sep 2024 16:29:25 GMT

Any time. I had someone else message about it few months back and I told guy what to do and worked right away. He was very grateful, as he told me he's been trying to get it work for 6 months, even had TAC case about it, but nothing happened. But, I get the situation...its never easy to fix anything complicated like that unless you have working lab, otherwise, you just keep guessing and thats no way to really fix things lol

Andy

Re: Site to Site VPN(Route Based) between two clusters

speedbot33 — Thu, 05 Sep 2024 16:35:36 GMT

I've tried several times to boot up an virtual GW in EVENG but to no avail.

Btw - I appreciate giving me the heads up on vti placing the external IP - After I pulled interfaces WITHOUT topology - boom. This my first foray into Unnumbered interfaces with CP.

Re: Site to Site VPN(Route Based) between two clusters

the_rock — Thu, 05 Sep 2024 16:37:15 GMT

Try different NIC types, I always choose vmxnet, no issues.

Andy