topic VPN Routing Action in SASE and Remote Access

VPN Routing Action

Thin — Fri, 18 Sep 2020 11:19:44 GMT

Hello

I have a question about action in vpn log.
What is the meaning of VPN Routing in logs?
Does it mean users accessing an internal network?

Thank you

Re: VPN Routing Action

Timothy_Hall — Fri, 18 Sep 2020 12:26:52 GMT

A VPN Routing action indicates that traffic was decrypted from one VPN tunnel, then re-encrypted straight into another VPN tunnel. Usually happens between satellites in the same Star-based VPN Community if allowed in the Community settings, but can also happen between different VPN Communities as authorized by the vpn_route.conf file. Note that the per-VPN Community VPN domain feature in R80.40 can help fine tune this behavior, see here: sk164417: Traffic from one VPN community not routed to another VPN community

Re: VPN Routing Action

Andreas_Aust — Fri, 18 Sep 2020 12:31:02 GMT

Remote user come in and access an address over a S2S vpn

Re: VPN Routing Action

SintayehuCSE — Fri, 20 Jun 2025 12:46:11 GMT

Hello,

I am attempting to establish a VPN tunnel between two satellite devices (SPOKEs—non-Check Point products) and a central Check Point Security Gateway (HUB).

Sample Encryption Domain for:

SPOKE A: 172.20.18.69

SPOKE B: 10.40.90.5

Current Configuration:

Created separate VPN communities for each SPOKE, with the HUB as the central gateway in both.
Used identical encryption parameters for both VPN communities.
The goal is to allow traffic from SPOKE A to pass through the HUB to SPOKE B.
Created a static route on the HUB for routing traffic to SPOKE B encryption domain [10.40.90.5] from SPOKE A encryption domain [172.20.18.69].

Access Control Rule:

A single rule was created with each gateway’s encryption domain as both the source and destination.
The VPN Community field in the rule references both VPN community objects (one for each SPOKE).
(See attached image for the rule configuration.)

Issue Observed:

Traffic from SPOKE B reaches the HUB, and logs confirm it is being VPN-routed.
However, the traffic does not reach SPOKE B’s encryption domain.
Both Phase 1 and Phase 2 tunnels between the HUB and each SPOKE are up.
(See attached VPN-routed traffic log for details.)

Request for Assistance:

Could you help identify what might be wrong with this VPN routing configuration? Alternatively, do you have any recommended resources for troubleshooting similar VPN routing scenarios?

Should I set the VPN Routing option for both VPN communities:- "to Center and to other satellites through center" or "To Center only"

Thank you!