topic Re: Routing on VPN in Spark Firewall (SMB)

Routing on VPN

Gaetano_Nicosia — Wed, 25 Aug 2021 15:44:32 GMT

Good Morning,

I need to connect via site-to-site VPN from site A where the CP 730 appliance firewall is installed to site B where a Sophos firewall is installed that I do not manage.

The site-to-site VPN works correctly and is active.

The Requests from clients of site A that may belong to different VLANs (see the table) must be routed to site B.

SITE A (CHECK POINT 730) TO SITE B (SOPHOS)	Destination IP Subnet
Source IP Subnet
192.168.1.0/24 (Site A)	172.20.43.0/24 (Site B)
192.168.10.0/24 (Site A)	172.20.43.0/24 (Site B)
192.168.201.0/24 (Site A)	172.20.43.0/24 (Site B)

Unfortunately I can't route them correctly.

I used Tracert and it seems that they are routed through the Internet instead of through VPN.

Can you help me to solve the problem?

Thanks and Best Regards

Gaetano

Re: Routing on VPN

KennyManrique — Wed, 25 Aug 2021 20:04:53 GMT

Hi Gaetano,

I assume you're using Domain based VPN. Could you share with us both encryption domain objects?

Re: Routing on VPN

PhoneBoy — Wed, 25 Aug 2021 20:55:42 GMT

It’s a 730, which is managed locally.
And the message should have been posted in the SMB space,
But yes, let’s see precisely how you’ve configured the VPN, specifically the remote Encryption Domain.

Re: Routing on VPN

Gaetano_Nicosia — Thu, 26 Aug 2021 05:38:36 GMT

Thank You for reply.

I opened the Firewall GUI and edited the VPN. Please see the picture for the vpn configuration

In the Advanced tab I don't find the encryption domain, but only in the TAB Remote site.

In Remote Site Encryption domain I have these methods:

Define Remote network topology manually
Route all traffic through this site
Encrypt according to routing table
Hydden behind external IP of the remote gateway

Is the point 1) the correct configuration?

Also this is the configuration in the Advanced TAB

And this is the configuration in the TAB Encryption

I look forward to your welcome reply.

Gaetano

Re: Routing on VPN

PhoneBoy — Thu, 26 Aug 2021 16:09:24 GMT

It was in the first screenshot at the bottom.
Now let's double check the local encryption domain.
Hopefully it looks something like:

There should also be a rule in Access Policy > Firewall > Policy > Incoming, Internal and VPN traffic permitting the relevant traffic, possibly with the option "Match only for encrypted traffic" enabled.

Re: Routing on VPN

Gaetano_Nicosia — Sat, 28 Aug 2021 05:58:07 GMT

Hello,

Thank You for reply.

I have solved setting "Define local network topology manually" and adding the requested subnet.

After I have create the proper rules in "Access Policy > Firewall > Policy > Incoming, Internal and VPN traffic".

Please can you explain me what is the purpose of the option "Match only for encrypted traffic"?

Thank You and Best regards.

Gaetano

Re: Routing on VPN

PhoneBoy — Sat, 28 Aug 2021 08:35:09 GMT

That option means the rule would apply only if the traffic went over a VPN connection.

Re: Routing on VPN

Gaetano_Nicosia — Sat, 28 Aug 2021 14:26:53 GMT

Thank You