- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- Re: VPN Connectivity to S2S connected sites
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN Connectivity to S2S connected sites
Hi All,
I am a little stuck again, appreciate your help here.
We have a CP setup in Azure. From there we have a simple setup. one S2S connection to a 3rd party network (who have their phase to set to ANY apparently) (not Checkpoint on the other end). That works fine. All the systems that we have connected to the CP can connect over the S2S both ways.
What we are struggling with is that we need our users who connect to our CP over Check Point mobile vpn to be able to route to that same network over the S2S. We tried adding it as one of the trusted networks but i think it broke the S2S connection. Is there a way to publish the routes and allow communication ?
Let me know if you need more info, as i may not have provided enough detail.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured it out. The 3rd party network was set to 0.0.0.0 on their side, and we have limited it. Once we set it the same, it worked. Appreciate your help guys.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Route based or domain based tunnel? If it is domain based you need to add the mobile access IP range to your own encryption domain. Then the Azure side needs to do the same or it could indeed break the tunnel.
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Lesley,
Its route based.
What i didnt mention is that there are 2 S2S tunnels in the same community. so it acts as an active active scenario.
Our side is checkpoint, the other side is Juniper.
Last time i added the S2S range to our VPN route (i probably did it wrong) it broke connectivity to the S2S.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
quick and dirty just NAT your remote access network behind an IP that currently works for that tunnel.
The problem seems to be that the remote gateway doesn't "know" about your RA net.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys,
Its set the same as your screenshot.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the reference, here is what options do.
Andy
-
To center only . No VPN routing actually occurs. Only connections between the satellite gateways and central gateway go through the VPN tunnel. Other connections are routed in the normal way
-
To center and to other satellites through center . Use VPN routing for connection between satellites. Every packet passing from a satellite gateway to another satellite gateway is routed through the central gateway. Connection between satellite gateways and gateways that do not belong to the community are routed in the normal way.
-
To center, or through the center to other satellites, to internet and other VPN targets . Use VPN routing for every connection a satellite gateway handles. Packets sent by a satellite gateway pass through the VPN tunnel to the central gateway before being routed to the destination address.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you added the 3rd party networks to the Remote Access encryption domain?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figured it out. The 3rd party network was set to 0.0.0.0 on their side, and we have limited it. Once we set it the same, it worked. Appreciate your help guys.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good job!