Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sandra_Suarez
Participant

VPN routing

Hi,

***********************
ENVIRONMENT

VPN COMMUNITY TYPE: Star
CENTER GW: CheckPoint R80.10 (appliances 5900) (manage our customer)
SATELLITE GW: Cisco (manage external 1)
SATELLITE GW: Fortinet (manage external 2)
SATELLITE GW: Cisco ASA (manage external 3)
SATELLITE GW: Checkpoint (manage external 4)

**************************
TRAFFIC FLOW

SATELLITE GW from external 2, 3 y 4 needs to contact to SATELLITE GW external 1, the traffic must always pass through CENTER GW.

*************************
CONFIGURATION

Each SATELLITE (2,3,4) arrive to CENTER GW with a follow IP address
customer 2 --> 10.10.10.10
customer 3 --> 10.10.10.15
customer 4 --> 10.10.10.20
they try to connect to 172.25.107.193 (host behid SATELLITE GW: Cisco (manage external 1))

When
Host 10.10.10.10-SATELLITE GW: Fortinet (manage external 2) AND host10.10.10.20-SATELLITE GW: Checkpoint (manage external 4) did the telnet connection to 172.25.107.193-SATELLITE GW: Cisco (manage external 1) EVERITHING WORKS FINE

When
Host 10.10.10.15-SATELLITE GW: Cisco (manage external 3) did the telnet connection to 172.25.107.193-SATELLITE GW: Cisco (manage external 1) DOES NOT OPEN

******************************
LOGS
1. When the traffic works fine between satellites the log traffic show action VPN Routig
2. When the traffic does no work the log traffci show action DECRIPT (never show VPN Routing)

*******************
QUESTION

1. How can we check by CLI the routes created by VPN Routing from Start COmmunity
2. Could you explain us how is the orden in a VPN routing
First decript
Second Nat
Third Encript
3. Do you know how other troubleshooting could we run?

3 Replies
PhoneBoy
Admin
Admin

A lot of the troubleshooting for site-to-site VPN is here: Debugging Site-to-Site VPN 

HeikoAnkenbrand
Champion Champion
Champion

Your QUESTIONs:

>>> 1. How can we check by CLI the routes created by VPN Routing from Start COmmunity

You can found policy based VPN routes in the following tabel "fw tab -f -t vpn_routing -u" or use te one liner from my articel:

Show VPN Routing on CLI 

>>> 2. Could you explain us how is the orden in a VPN routing

Here you can find a flowchart of how VPN decryption and encryption is implemented:

R80.x Security Gateway Architecture (Logical Packet Flow) 


>>> 3. Do you know how other troubleshooting could we run?

See answer from https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc  > Debugging Site-to-Site VPN 

 

Regards

Heiko

➜ CCSM Elite, CCME, CCTE
0 Kudos
AnujPratap
Participant

Hi HeiKo,

Would you please help me to understand. Does routing is required for remote end n/w  in IPSec VPN?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events