Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
TonyM12
Participant
Jump to solution

VPN Connectivity to S2S connected sites

Hi All,

I am a little stuck again, appreciate your help here. 

We have a CP setup in Azure. From there we have a simple setup.  one S2S connection to a 3rd party network (who have their phase to set to ANY apparently) (not Checkpoint on the other end).  That works fine. All the systems that we have connected to the CP can connect over the S2S both ways.  

What we are struggling with is that we need our users who connect to our CP over Check Point mobile vpn to be able to route to that same network over the S2S.    We tried adding it as one of the trusted networks but i think it broke the S2S connection.    Is there a way to publish the routes and allow communication ?  

Let me know if you need more info, as i may not have provided enough detail. 

 

0 Kudos
1 Solution

Accepted Solutions
TonyM12
Participant

I figured it out.  The 3rd party network was set to 0.0.0.0 on their side, and we have limited it.   Once we set it the same, it worked.    Appreciate your help guys. 

View solution in original post

9 Replies
Lesley
Advisor

Route based or domain based tunnel? If it is domain based you need to add the mobile access IP range to your own encryption domain. Then the Azure side needs to do the same or it could indeed break the tunnel.

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
TonyM12
Participant

Hi Lesley,  

Its route based.  

What i didnt mention is that there are 2 S2S tunnels in the same community. so it acts as an active active scenario. 

Our side is checkpoint, the other side is Juniper. 

Last time i added the S2S range to our VPN route (i probably did it wrong) it broke connectivity to the S2S.  

 

0 Kudos
Gojira
Collaborator
Collaborator

quick and dirty just NAT your remote access network behind an IP that currently works for that tunnel.

The problem seems to be that the remote gateway doesn't "know" about your RA net.

0 Kudos
the_rock
Legend
Legend

I agree with @Gojira . How is this setting configured?

Andy

 

Screenshot_1.png

0 Kudos
TonyM12
Participant

Hi Guys,

Its set the same as your screenshot. 

 

0 Kudos
the_rock
Legend
Legend

For the reference, here is what options do.

Andy

 

  • To center only . No VPN routing actually occurs. Only connections between the satellite gateways and central gateway go through the VPN tunnel. Other connections are routed in the normal way

  • To center and to other satellites through center . Use VPN routing for connection between satellites. Every packet passing from a satellite gateway to another satellite gateway is routed through the central gateway. Connection between satellite gateways and gateways that do not belong to the community are routed in the normal way.

  • To center, or through the center to other satellites, to internet and other VPN targets . Use VPN routing for every connection a satellite gateway handles. Packets sent by a satellite gateway pass through the VPN tunnel to the central gateway before being routed to the destination address.

0 Kudos
PhoneBoy
Admin
Admin

Have you added the 3rd party networks to the Remote Access encryption domain?

0 Kudos
TonyM12
Participant

I figured it out.  The 3rd party network was set to 0.0.0.0 on their side, and we have limited it.   Once we set it the same, it worked.    Appreciate your help guys. 

the_rock
Legend
Legend

Good job!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.