This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SintayehuCSE
Explorer
3 weeks ago
Jump to solution

IPSec tunnel Setup [HUB and SPOKE Scenario] with Both spokes being non-checkpoint VPN Gateway

Hello Everyone,

I am attempting to establish a VPN tunnel between two satellite devices (SPOKEs—non-Check Point products) and a central Check Point Security Gateway (HUB).

Sample Encryption Domain for:

             SPOKE A: 172.20.18.69

             SPOKE B: 10.40.90.5

Current Configuration:
    1. Created separate VPN communities for each SPOKE, with the HUB as the central gateway in both.

    2. Used identical encryption parameters for both VPN communities.

    3. The goal is to allow traffic from SPOKE A to pass through the HUB to SPOKE B.

    4. Created a static route on the HUB for routing traffic to SPOKE B encryption domain [10.40.90.5] from SPOKE A encryption domain [172.20.18.69].


Access Control Rule:
       1. A single rule was created with each gateway’s encryption domain as both the source and destination.

       2. The VPN Community field in the rule references both VPN community objects (one for each SPOKE).

       3. (See attached image for the rule configuration.)

Encountered Issue:
Traffic from SPOKE B reaches the HUB, and logs confirm it is being VPN-routed. However, the traffic does not reach SPOKE B’s encryption domain. Both Phase 1 and Phase 2 tunnels between the HUB and each SPOKE are up. (See attached VPN-routed traffic log for details.)

Request for Assistance:
Could you help identify what might be wrong with this VPN routing configuration? Alternatively, do you have any recommended resources for troubleshooting similar VPN routing scenarios? In general, what is the guideline for configuring such a HUB and SPOKE VPN routing scenario?

Thank you!

Preview file
54 KB
Preview file
171 KB
0 Kudos
1 Solution

Accepted Solutions
SintayehuCSE
Explorer
3 weeks ago
In response to SintayehuCSE
Jump to solution

The problem has been solved. There was a URL filtering rule on the SPOKE A partner. The configuration works that way!

View solution in original post

3 Replies
G_W_Albrecht
Legend Legend
Legend
3 weeks ago
Jump to solution

Which Admin Guide / SK did make you configure two VPN communities ? A Star community works as found here: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Con...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
SintayehuCSE
Explorer
3 weeks ago
In response to G_W_Albrecht
Jump to solution

First of all, I thank you for your response! It is much appreciated.

Before attempting to configure it via the use of two separate star community objects, I have gone through the notes of the following URLs about VPN Routing:      1. https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_SitetoSiteVPN_AdminGuide/htm...

2. https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RemoteAccessVPN_AdminGuide/Topics-...

3. https://community.checkpoint.com/t5/Remote-Access-VPN/VPN-Routing-Action/td-p/97007.

4. https://sc1.checkpoint.com/documents/R80.20/SmartConsole_OLH/EN/html_frameset.htm?topic=documents/R8....

5. https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuid....

6. https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VP....

7. https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/CP_R81_Si...

According to these Notes, I used only one star community object. In this community object, the central gateway [The HUB] is a checkpoint Security Gateway [Maestro Security Group instance], whereas the satellite Gateways are non-checkpoint products/VPN Gateways, and I have no information about which vendor's product they are. This is a Site-to-Site VPN tunnel to be established between two of our partner companies, where traffic from the host of one company must pass through our gateway to the host of the second partner. 

Nevertheless, the traffic from SPOKE A host was not able to reach the host behind SPOKE B, even if it were received by the HUB and vpn-route attempted by the checkpoint Gateway HUB, as indicated in the previously shared log data.

After some search through Gen AI, I decided to use a two-star community object, with the same encryption parameters, between each spoke and the hub. With this config, both phases of the tunnel have turned up; traffic from hosts behind Spoke A can reach the HUB and get VPN routed to SPOKE B; Still, this traffic is not being seen by the SPOKE B VPN Gateway.

The Gen AI strictly informs that the VPN Routing scenario, where different vendors' SPOKE VPN gateway and checkpoint HUB gateway are to be used, should be configured that way.

Even if I configured the IPSec tunnel, both ways, I get the same result. No traffic from the host residing behind either of the spokes is reaching the other. Furthermore, there is no issue with traffic from encryption domains residing behind the HUB to the VPN domains behind either of the SPOKEs. I can access a service residing on an encryption domain of SPOKE B from the VPN domain that belongs to the HUB [Checkpoint IPSec VPN Gateway].

0 Kudos
SintayehuCSE
Explorer
3 weeks ago
In response to SintayehuCSE
Jump to solution

The problem has been solved. There was a URL filtering rule on the SPOKE A partner. The configuration works that way!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 07 Oct 2025 @ 09:30 AM (CEST)

    CheckMates Live Denmark!
    CheckMates Events