https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Connecting-to-BGP-network-through-IPsec-tunnel/m-p/179006#M1523 <P>What does the routing at the branches look like, are these gateways also performing NAT?</P> Tue, 25 Apr 2023 03:38:52 GMT Chris_Atkinson 2023-04-25T03:38:52Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Connecting-to-BGP-network-through-IPsec-tunnel/m-p/178888#M1515 <P>Hello, I have one group with two 6700 gateways and learned 172.18.1.0/24 network through BGP and has full access to this network.<BR /><BR />I have few CP 1530 gateways on remote places and all of them are connected to the Maestro GW through IPsec tunnels in same star community. I want them to be able to reach 172.18.1.0/24 network, so I have defined this network in the VPN encryption domain and created "accept" policy rule. When I try to connect to the network not even log shows up and fails.</P><P>In theory, this should be really simple. What could be the issue?</P> Mon, 24 Apr 2023 07:01:57 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Connecting-to-BGP-network-through-IPsec-tunnel/m-p/178888#M1515 Gombodorj2323 2023-04-24T07:01:57Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Connecting-to-BGP-network-through-IPsec-tunnel/m-p/179000#M1522 <P>Are all these 1530s managed with the same management?<BR />Have you pushed policy to all relevant gateways?<BR />What version/JHF is Maestro running and what firmware version/build # is used on the SMB appliances?</P> Tue, 25 Apr 2023 02:19:43 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Connecting-to-BGP-network-through-IPsec-tunnel/m-p/179000#M1522 PhoneBoy 2023-04-25T02:19:43Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Connecting-to-BGP-network-through-IPsec-tunnel/m-p/179006#M1523 <P>What does the routing at the branches look like, are these gateways also performing NAT?</P> Tue, 25 Apr 2023 03:38:52 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Connecting-to-BGP-network-through-IPsec-tunnel/m-p/179006#M1523 Chris_Atkinson 2023-04-25T03:38:52Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Connecting-to-BGP-network-through-IPsec-tunnel/m-p/179007#M1524 <P>1. It is in different management</P><P>2. Yes I'm testing on exactly 2 gateways.</P><P>3. Maestro is R81.10/Take79 and SMB is running R80.30. I haven't checked the specific firmware version I will when I can.</P> Tue, 25 Apr 2023 04:47:29 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Connecting-to-BGP-network-through-IPsec-tunnel/m-p/179007#M1524 Gombodorj2323 2023-04-25T04:47:29Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Connecting-to-BGP-network-through-IPsec-tunnel/m-p/179008#M1525 <P>Branch gateways have just a simple default rule to the ISP IP address that it is connecting to. Also branches have 172.10.X.X/25 local network on the internal interface and thats where I want to connect to&nbsp;<SPAN>172.18.1.0/24 from.</SPAN></P><P><SPAN>I tried changing the VPN routing option in the community to all 3 of the option.</SPAN></P><P><SPAN>VPN domain looks like this:&nbsp;</SPAN></P><P><SPAN>&nbsp; &nbsp; &nbsp; &nbsp;VPN domain of a branch GW = branch-local domain (172.10.X.X/25)</SPAN></P><P><SPAN>&nbsp; &nbsp; &nbsp; &nbsp;VPN domain of the Maestro = Maestro-local domain (172.18.1.0/24)</SPAN></P><P>172.10.X.X/25 -&gt; tunnel -&gt; Maestro -&gt;&nbsp;<SPAN>172.18.1.0/24</SPAN></P> Tue, 25 Apr 2023 04:54:08 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Connecting-to-BGP-network-through-IPsec-tunnel/m-p/179008#M1525 Gombodorj2323 2023-04-25T04:54:08Z