Solved: Re: VPN Connectivity to S2S connected sites

TonyM12 · ‎2024-02-07

Hi All,

I am a little stuck again, appreciate your help here.

We have a CP setup in Azure. From there we have a simple setup. one S2S connection to a 3rd party network (who have their phase to set to ANY apparently) (not Checkpoint on the other end). That works fine. All the systems that we have connected to the CP can connect over the S2S both ways.

What we are struggling with is that we need our users who connect to our CP over Check Point mobile vpn to be able to route to that same network over the S2S. We tried adding it as one of the trusted networks but i think it broke the S2S connection. Is there a way to publish the routes and allow communication ?

Let me know if you need more info, as i may not have provided enough detail.

TonyM12 · ‎2024-02-09

I figured it out. The 3rd party network was set to 0.0.0.0 on their side, and we have limited it. Once we set it the same, it worked. Appreciate your help guys.

View solution in original post

Lesley · ‎2024-02-07

Route based or domain based tunnel? If it is domain based you need to add the mobile access IP range to your own encryption domain. Then the Azure side needs to do the same or it could indeed break the tunnel.

-------
Please press "Accept as Solution" if my post solved it 🙂

TonyM12 · ‎2024-02-08

Hi Lesley,

Its route based.

What i didnt mention is that there are 2 S2S tunnels in the same community. so it acts as an active active scenario.

Our side is checkpoint, the other side is Juniper.

Last time i added the S2S range to our VPN route (i probably did it wrong) it broke connectivity to the S2S.

Machine_Head · ‎2024-02-08

quick and dirty just NAT your remote access network behind an IP that currently works for that tunnel.

The problem seems to be that the remote gateway doesn't "know" about your RA net.

the_rock · ‎2024-02-08

I agree with @Machine_Head . How is this setting configured?

Andy

Best,
Andy
"Have a great day and if its not, change it"

TonyM12 · ‎2024-02-08

Hi Guys,

Its set the same as your screenshot.

the_rock · ‎2024-02-08

For the reference, here is what options do.

Andy

To center only . No VPN routing actually occurs. Only connections between the satellite gateways and central gateway go through the VPN tunnel. Other connections are routed in the normal way
To center and to other satellites through center . Use VPN routing for connection between satellites. Every packet passing from a satellite gateway to another satellite gateway is routed through the central gateway. Connection between satellite gateways and gateways that do not belong to the community are routed in the normal way.
To center, or through the center to other satellites, to internet and other VPN targets . Use VPN routing for every connection a satellite gateway handles. Packets sent by a satellite gateway pass through the VPN tunnel to the central gateway before being routed to the destination address.

Best,
Andy
"Have a great day and if its not, change it"

PhoneBoy · ‎2024-02-08

Have you added the 3rd party networks to the Remote Access encryption domain?

TonyM12 · ‎2024-02-09

I figured it out. The 3rd party network was set to 0.0.0.0 on their side, and we have limited it. Once we set it the same, it worked. Appreciate your help guys.

the_rock · ‎2024-02-09

Good job!

Best,
Andy
"Have a great day and if its not, change it"

Are you a member of CheckMates?

VPN Connectivity to S2S connected sites