cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

VPN routing

Hi,

***********************
ENVIRONMENT

VPN COMMUNITY TYPE: Star
CENTER GW: CheckPoint R80.10 (appliances 5900) (manage our customer)
SATELLITE GW: Cisco (manage external 1)
SATELLITE GW: Fortinet (manage external 2)
SATELLITE GW: Cisco ASA (manage external 3)
SATELLITE GW: Checkpoint (manage external 4)

**************************
TRAFFIC FLOW

SATELLITE GW from external 2, 3 y 4 needs to contact to SATELLITE GW external 1, the traffic must always pass through CENTER GW.

*************************
CONFIGURATION

Each SATELLITE (2,3,4) arrive to CENTER GW with a follow IP address
customer 2 --> 10.10.10.10
customer 3 --> 10.10.10.15
customer 4 --> 10.10.10.20
they try to connect to 172.25.107.193 (host behid SATELLITE GW: Cisco (manage external 1))

When
Host 10.10.10.10-SATELLITE GW: Fortinet (manage external 2) AND host10.10.10.20-SATELLITE GW: Checkpoint (manage external 4) did the telnet connection to 172.25.107.193-SATELLITE GW: Cisco (manage external 1) EVERITHING WORKS FINE

When
Host 10.10.10.15-SATELLITE GW: Cisco (manage external 3) did the telnet connection to 172.25.107.193-SATELLITE GW: Cisco (manage external 1) DOES NOT OPEN

******************************
LOGS
1. When the traffic works fine between satellites the log traffic show action VPN Routig
2. When the traffic does no work the log traffci show action DECRIPT (never show VPN Routing)

*******************
QUESTION

1. How can we check by CLI the routes created by VPN Routing from Start COmmunity
2. Could you explain us how is the orden in a VPN routing
First decript
Second Nat
Third Encript
3. Do you know how other troubleshooting could we run?

2 Replies
Admin
Admin

Re: VPN routing

A lot of the troubleshooting for site-to-site VPN is here: Debugging Site-to-Site VPN 

Re: VPN routing

Your QUESTIONs:

>>> 1. How can we check by CLI the routes created by VPN Routing from Start COmmunity

You can found policy based VPN routes in the following tabel "fw tab -f -t vpn_routing -u" or use te one liner from my articel:

Show VPN Routing on CLI 

>>> 2. Could you explain us how is the orden in a VPN routing

Here you can find a flowchart of how VPN decryption and encryption is implemented:

R80.x Security Gateway Architecture (Logical Packet Flow) 


>>> 3. Do you know how other troubleshooting could we run?

See answer from https://community.checkpoint.com/people/dwelccfe6e688-522c-305c-adaa-194bd7a7becc  > Debugging Site-to-Site VPN 

 

Regards

Heiko

0 Kudos