topic Re: IPSec tunnel Setup [HUB and SPOKE Scenario] with Both spokes being non-checkpoint VPN Gateway in General Topics

IPSec tunnel Setup [HUB and SPOKE Scenario] with Both spokes being non-checkpoint VPN Gateway

SintayehuCSE — Mon, 23 Jun 2025 08:48:19 GMT

Hello Everyone,

I am attempting to establish a VPN tunnel between two satellite devices (SPOKEs—non-Check Point products) and a central Check Point Security Gateway (HUB).

Sample Encryption Domain for:

SPOKE A: 172.20.18.69

SPOKE B: 10.40.90.5

Current Configuration:
1. Created separate VPN communities for each SPOKE, with the HUB as the central gateway in both.

2. Used identical encryption parameters for both VPN communities.

3. The goal is to allow traffic from SPOKE A to pass through the HUB to SPOKE B.

4. Created a static route on the HUB for routing traffic to SPOKE B encryption domain [10.40.90.5] from SPOKE A encryption domain [172.20.18.69].

Access Control Rule:
1. A single rule was created with each gateway’s encryption domain as both the source and destination.

2. The VPN Community field in the rule references both VPN community objects (one for each SPOKE).

3. (See attached image for the rule configuration.)

Encountered Issue:
Traffic from SPOKE B reaches the HUB, and logs confirm it is being VPN-routed. However, the traffic does not reach SPOKE B’s encryption domain. Both Phase 1 and Phase 2 tunnels between the HUB and each SPOKE are up. (See attached VPN-routed traffic log for details.)

Request for Assistance:
Could you help identify what might be wrong with this VPN routing configuration? Alternatively, do you have any recommended resources for troubleshooting similar VPN routing scenarios? In general, what is the guideline for configuring such a HUB and SPOKE VPN routing scenario?

Thank you!

Re: IPSec tunnel Setup [HUB and SPOKE Scenario] with Both spokes being non-checkpoint VPN Gateway

G_W_Albrecht — Mon, 23 Jun 2025 09:49:37 GMT

Which Admin Guide / SK did make you configure two VPN communities ? A Star community works as found here: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Content/Topics-VPNSG/Check-Point-VPN.htm?TocPath=Check%20Point%20VPN%7CIPsec%20VPN%7C_____0#IPsec_VPN

Re: IPSec tunnel Setup [HUB and SPOKE Scenario] with Both spokes being non-checkpoint VPN Gateway

SintayehuCSE — Mon, 23 Jun 2025 19:29:49 GMT

First of all, I thank you for your response! It is much appreciated.

Before attempting to configure it via the use of two separate star community objects, I have gone through the notes of the following URLs about VPN Routing: 1. https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_SitetoSiteVPN_AdminGuide/html_frameset.htm?topic=documents/R80.30/WebAdminGuides/EN/CP_R80.30_SitetoSiteVPN_AdminGuide/13928.

2. https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RemoteAccessVPN_AdminGuide/Topics-VPNRG/VPN-Routing-Remote-Access.htm#:~:text=Allow%20VPN%20clients%20to%20route,then%20between%20the%20Security%20Gateways:

3. https://community.checkpoint.com/t5/Remote-Access-VPN/VPN-Routing-Action/td-p/97007.

4. https://sc1.checkpoint.com/documents/R80.20/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R80.20/SmartConsole_OLH/EN/xPIK8IRZF4anBq5LqvwFRQ2.

5. https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuide/html_frameset.htm?topic=documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuide/14605.

6. https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VPNSG/Route-Injection-Mechanism.htm.

7. https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/CP_R81_SitetoSiteVPN_AdminGuide.pdf

According to these Notes, I used only one star community object. In this community object, the central gateway [The HUB] is a checkpoint Security Gateway [Maestro Security Group instance], whereas the satellite Gateways are non-checkpoint products/VPN Gateways, and I have no information about which vendor's product they are. This is a Site-to-Site VPN tunnel to be established between two of our partner companies, where traffic from the host of one company must pass through our gateway to the host of the second partner.

Nevertheless, the traffic from SPOKE A host was not able to reach the host behind SPOKE B, even if it were received by the HUB and vpn-route attempted by the checkpoint Gateway HUB, as indicated in the previously shared log data.

After some search through Gen AI, I decided to use a two-star community object, with the same encryption parameters, between each spoke and the hub. With this config, both phases of the tunnel have turned up; traffic from hosts behind Spoke A can reach the HUB and get VPN routed to SPOKE B; Still, this traffic is not being seen by the SPOKE B VPN Gateway.

The Gen AI strictly informs that the VPN Routing scenario, where different vendors' SPOKE VPN gateway and checkpoint HUB gateway are to be used, should be configured that way.

Even if I configured the IPSec tunnel, both ways, I get the same result. No traffic from the host residing behind either of the spokes is reaching the other. Furthermore, there is no issue with traffic from encryption domains residing behind the HUB to the VPN domains behind either of the SPOKEs. I can access a service residing on an encryption domain of SPOKE B from the VPN domain that belongs to the HUB [Checkpoint IPSec VPN Gateway].

Re: IPSec tunnel Setup [HUB and SPOKE Scenario] with Both spokes being non-checkpoint VPN Gateway

SintayehuCSE — Fri, 27 Jun 2025 08:45:11 GMT

The problem has been solved. There was a URL filtering rule on the SPOKE A partner. The configuration works that way!