This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TonyM12
Participant
‎2024-02-07 11:38 PM
Jump to solution

VPN Connectivity to S2S connected sites

Hi All,

I am a little stuck again, appreciate your help here. 

We have a CP setup in Azure. From there we have a simple setup.  one S2S connection to a 3rd party network (who have their phase to set to ANY apparently) (not Checkpoint on the other end).  That works fine. All the systems that we have connected to the CP can connect over the S2S both ways.  

What we are struggling with is that we need our users who connect to our CP over Check Point mobile vpn to be able to route to that same network over the S2S.    We tried adding it as one of the trusted networks but i think it broke the S2S connection.    Is there a way to publish the routes and allow communication ?  

Let me know if you need more info, as i may not have provided enough detail. 

 

0 Kudos
1 Solution

Accepted Solutions
TonyM12
Participant
‎2024-02-09 12:17 AM
In response to PhoneBoy
Jump to solution

I figured it out.  The 3rd party network was set to 0.0.0.0 on their side, and we have limited it.   Once we set it the same, it worked.    Appreciate your help guys. 

View solution in original post

9 Replies
Lesley
Leader Leader
Leader
‎2024-02-07 11:49 PM
Jump to solution

Route based or domain based tunnel? If it is domain based you need to add the mobile access IP range to your own encryption domain. Then the Azure side needs to do the same or it could indeed break the tunnel.

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
TonyM12
Participant
‎2024-02-08 12:54 AM
In response to Lesley
Jump to solution

Hi Lesley,  

Its route based.  

What i didnt mention is that there are 2 S2S tunnels in the same community. so it acts as an active active scenario. 

Our side is checkpoint, the other side is Juniper. 

Last time i added the S2S range to our VPN route (i probably did it wrong) it broke connectivity to the S2S.  

 

0 Kudos
Gojira
Collaborator
Collaborator
‎2024-02-08 01:35 AM
In response to TonyM12
Jump to solution

quick and dirty just NAT your remote access network behind an IP that currently works for that tunnel.

The problem seems to be that the remote gateway doesn't "know" about your RA net.

0 Kudos
the_rock
Legend
Legend
‎2024-02-08 06:10 AM
In response to TonyM12
Jump to solution

I agree with @Gojira . How is this setting configured?

Andy

 

Screenshot_1.png

0 Kudos
TonyM12
Participant
‎2024-02-08 06:54 AM
In response to the_rock
Jump to solution

Hi Guys,

Its set the same as your screenshot. 

 

0 Kudos
the_rock
Legend
Legend
‎2024-02-08 07:01 AM
In response to TonyM12
Jump to solution

For the reference, here is what options do.

Andy

 

  • To center only . No VPN routing actually occurs. Only connections between the satellite gateways and central gateway go through the VPN tunnel. Other connections are routed in the normal way

  • To center and to other satellites through center . Use VPN routing for connection between satellites. Every packet passing from a satellite gateway to another satellite gateway is routed through the central gateway. Connection between satellite gateways and gateways that do not belong to the community are routed in the normal way.

  • To center, or through the center to other satellites, to internet and other VPN targets . Use VPN routing for every connection a satellite gateway handles. Packets sent by a satellite gateway pass through the VPN tunnel to the central gateway before being routed to the destination address.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-02-08 02:37 PM
Jump to solution

Have you added the 3rd party networks to the Remote Access encryption domain?

0 Kudos
TonyM12
Participant
‎2024-02-09 12:17 AM
In response to PhoneBoy
Jump to solution

I figured it out.  The 3rd party network was set to 0.0.0.0 on their side, and we have limited it.   Once we set it the same, it worked.    Appreciate your help guys. 

the_rock
Legend
Legend
‎2024-02-09 04:13 AM
In response to TonyM12
Jump to solution

Good job!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events