topic Route Based VPN in General Topics

Route Based VPN

Gaurav_Pandya — Tue, 19 Feb 2019 17:22:20 GMT

Hi,

I am trying to establish route based VPN and I have created numbered VTIs on both firewalls with help of SK113735. But traffic is going in clear text, it is not encrypting traffic.

Please let me know if any other setting, creating community etc. needs to be done.

Re: Route Based VPN

Vladimir — Tue, 19 Feb 2019 18:07:23 GMT

Gaurav,

Please review the second portion of this How to configure IPsec VPN tunnel between Check Point Security Gateway and Amazon Web Services VPC using static routes

to see the creation of the VPN community for route-based VPNs. It should be more broadly applicable than just AWS.

Cheers,

Vladimir

Re: Route Based VPN

Gaurav_Pandya — Wed, 20 Feb 2019 10:54:34 GMT

Thanks Vladimir for the response.

I will try it to configure.

Re: Route Based VPN

Maarten_Sjouw — Wed, 20 Feb 2019 13:02:57 GMT

Gaurav,

A while back I have created a template to be filled for a set of AWS tunnels with or without cluster, with or without BGP and this looks like this, below is the actual code created by the program:

Non cluster version

Cluster version:

This template was built with Filemaker Pro all you fill is the fields on the left top all the rest is filled based on that info.

Re: Route Based VPN

Gaurav_Pandya — Thu, 21 Feb 2019 15:44:37 GMT

Hi Maarten,

Really appreciated.

Re: Route Based VPN

Gaurav_Pandya — Thu, 21 Feb 2019 15:56:53 GMT

Hi,

I have configured route based VPN but tunnel is not coming UP. fails at phase1. Just want to confirm that I have configured VTIs in correct manner.

Environment : Single GW (Not in cluster)

VTI : Local address - Public IP of My GW (External IP)

Remote address - Public IP of Remote GW (External IP)

Static Route : Next hope is Public IP of Remote GW.

Re: Route Based VPN

Maarten_Sjouw — Thu, 21 Feb 2019 18:57:25 GMT

As I said in my post have a look at the first image, in the top left you enter the 169.254 addresses you get for local and remote, the look at the first lines of the CLISH code which configures the VTI's it shows you the 169.254 addresses, not the real IP's of the hosts.

For the routing you also use the 169.254 address as the next hop.

Re: Route Based VPN

Gaurav_Pandya — Mon, 25 Feb 2019 12:21:47 GMT

Hi Maarten,

Thanks.

I have given IP address to VTI other than interface IP. We can also give private IP address as well. Now Tunnel is UP and working as expected.

I have also enabled OSPF and it is running fine.

Re: Route Based VPN

Gaurav_Pandya — Thu, 28 Feb 2019 17:08:42 GMT

Hi,

I am summarizing the steps of route based VPN configuration so it will be helpful for others.

Create empty encryption domains and assign to each gateway.
Create VTI interface in Gaia webUI. for remote peer use object name rather than IP.
Add routes for remote side encryption domain toward VTI interface. - Here you can use static or any other dynamic routing protocol like OSPF.

Enabled OSPF on VTI interface

You can follow sk113735 for point 1-3 configuration. Please note that you can use any fake IP address as Local & Remote addresses.

Fetch topology on gateway object in SmartDashboard.
Add VIPs if cluster.
Use the external interfaces in link selection.
Add rules with directional VPN: source real encryption domains (not null domain), dest same, VPN column: internal_clear to VPN Community, VPN Community to VPN Community, and VPN Community to internal_clear in each VPN rule.

Fw monitor shows little o go to VTI, and big O go to external interface, with external IP's.

Re: Route Based VPN

Dami — Tue, 16 Apr 2019 22:00:07 GMT

Thank you man for sharing... Life saver!

Re: Route Based VPN

armandxhafa — Tue, 19 Nov 2019 15:07:05 GMT

Hi Gaurav_Pandya, but if we want to add WAN redundancy links, should we do other configurations ?

Re: Route Based VPN

Di_Junior — Mon, 27 Jan 2020 20:57:39 GMT

Hi there

Are these steps also applicable if doing route based vpn with Cisco?

thanks in advance

Re: Route Based VPN

sunilspj — Thu, 04 Jun 2020 16:53:03 GMT

Hi,

I have Policy based VPN already running on Checkpoint FW.

Can I create route based VPN also in same FW ?

Can we create route based VPN in virtual FW (VS) ?

Re: Route Based VPN

Timothy_Hall — Fri, 05 Jun 2020 12:23:31 GMT

> Can I create route based VPN also in same FW ?

Yes but policy/domain-based VPN will take precedence for identifying interesting traffic. See my response here:

https://community.checkpoint.com/t5/Access-Control-Products/Site-to-Site-VPN-policy-based-and-routing-behavior/m-p/85902/highlight/true#M1916

> Can we create route based VPN in virtual FW (VS) ?

No, VSX does not support the VPN Tunnel Interfaces (VTIs) that are required for route-based VPN, see sk79700: VSX supported features on R75.40VS and above.

Re: Route Based VPN

watermanns — Sat, 06 Mar 2021 06:55:22 GMT

Hi Maarten,

thank you for sharing this good stuff. But I still don't get what the the AWS cluster IP addresses are meaning (100.100.*) and how those addresses are being used in the vpn tunnels 1 and 2 using different networks (local and remote) which is 100.100.* and 169.254.* addresses on numbered tunnel interface. I would expect a /30 network or at least the same network addresses on tunnel interfaces on prem and on AWS side. This still confuses me. Can you please explain this a bit more? Really appreciated.

Many thanks in advance!

Kind regards,

Stefan