Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Explorer

Routing between VPNs

Jump to solution

Dear all,

 

I need your advice about a VPN routing challenge we have.

As part of the different VON communities we have, we have the following 2 ones:

 

[Office A - Gaia 80.30]   <------ S2S Meshed VPN Community ------> [Data Center - Gaia 77.30]
[Data Center - Gaia 77.30]  <----- S2S Meshed VPN Community -----> [AWS Cloud]

Now we would like to allow users in the Office A to connect to instances in AWS.
Therefore we would need to route the AWS Network through the 1st community to our Data Center and then through the 2nd one to AWS.

We tried to add a IPv4 static routing in the Checkpoint of the Office A to the IP of the one in our Data Center but the traffic is not routed through the community.

I saw several post talking about editing conf file on the router or using some R80 features but there was so many variant that I'm unsure what we should do. Another solution we think about would be to merge both community in a star one.

 

So any advice on how to get this working is welcome 🙂

Many thanks

1 Solution

Accepted Solutions

Hi @dhueber,

Use a star community.

For more granular control over VPN routing, edit the vpn_route.conf file in the $FWDIR/conf/ directory of the Data Center SMS:

[Office A - Gaia 80.30] <-- S2S Star VPN Community ---> [Data Center - Gaia 77.30] <--S2S Star VPN Community---> [AWS Cloud]

Consider a simple VPN routing scenario consisting of Hub and two Spokes. All machines are controlled from the same Security Management Server, and all the Security Gateways are members of the same VPN community. Only Telnet and FTP services are to be encrypted between the Spokes and routed through the Hub:

Alhough this could be done easily by configuring a VPN star community, the same goal can be achieved by editing vpn_route.conf:

Destination                                            Next Hop router interface                     Install on

Spoke [Office A - Gaia 80.30]              Hub [Data Center - Gaia 77.30]             Spoke [AWS Cloud]
Spoke [AWS Cloud]                              Hub [Data Center - Gaia 77.30]             Spoke [Office A - Gaia 80.30]

And enable VPN routiong to center and to other satellites through center (same on R77.30):
star.JPG

PS:
R77.30 is since approximately one year out of support:-)

 

 

View solution in original post

Tags (1)
9 Replies

Hi @dhueber,

Use a star community.

For more granular control over VPN routing, edit the vpn_route.conf file in the $FWDIR/conf/ directory of the Data Center SMS:

[Office A - Gaia 80.30] <-- S2S Star VPN Community ---> [Data Center - Gaia 77.30] <--S2S Star VPN Community---> [AWS Cloud]

Consider a simple VPN routing scenario consisting of Hub and two Spokes. All machines are controlled from the same Security Management Server, and all the Security Gateways are members of the same VPN community. Only Telnet and FTP services are to be encrypted between the Spokes and routed through the Hub:

Alhough this could be done easily by configuring a VPN star community, the same goal can be achieved by editing vpn_route.conf:

Destination                                            Next Hop router interface                     Install on

Spoke [Office A - Gaia 80.30]              Hub [Data Center - Gaia 77.30]             Spoke [AWS Cloud]
Spoke [AWS Cloud]                              Hub [Data Center - Gaia 77.30]             Spoke [Office A - Gaia 80.30]

And enable VPN routiong to center and to other satellites through center (same on R77.30):
star.JPG

PS:
R77.30 is since approximately one year out of support:-)

 

 

View solution in original post

Tags (1)
Explorer

Hi Heiko, 

thanks for the reply and feedback. This is what we thought.
Won't be the easiest solution to recreate all our VPNs but we will have to go through this process.

Many thanks for taking time to answer

0 Kudos
Reply
Leader
Leader

@dhueber 

migrating to one community with your datacenter as Center and officeA and AWS as satellites would be the best solution.

Then you have to enable VPN routing on the community and everything should work.

In your described environment with two communities you can configure VPN routing via vpn_route.conf file.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
It‘s written for an SmartLSM environment but the solution is the same for you.

Have a look at the documentation Configuration in the VPN Configuration File

Wolfgang

0 Kudos
Reply
Leader
Leader

I see, @HeikoAnkenbrand  sent an answer a little bit earlier then me.

😀

0 Kudos
Reply

Hi @Wolfgang,

2 seconds faster 😀.

Best Regards
Heiko

Tags (1)
0 Kudos
Reply
Leader
Leader

Congratulations @HeikoAnkenbrand you’re the winner today 😂
And we could help @dhueber with a solution.

Wolfgang

Contributor

Hello Heiko/Wolgagn,

I had a similar scenario and hoped you could help with a doubt. Our scenario is the same but instead of [AWS cloud] we have a third party Gateway. So in this case i think vpn_route.conf does not apply because it is not possible to define the third party in the "install on" column of the file. I was wondering how to address this. My first option was to migrate to a star community as you described before, but i am not sure if the option "To center and to other satellites trough center" will work with the third party gateway (i think it won't). So if you have any idea to get the same goal with the third party, it would be appreciated. Thanks in advance.

0 Kudos
Reply
Leader
Leader

@RS_Daniel 

vpn routing with third party gateway via star community will be possible.

Wolfgang

Explorer

Thanks very much for that information.

0 Kudos
Reply