cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Route Based VPN

Hi,

I am trying to establish route based VPN and I have created numbered VTIs on both firewalls with help of SK113735. But traffic is going in clear text, it is not encrypting traffic. 

Please let me know if any other setting, creating community etc. needs to be done.

Tags (1)
0 Kudos
9 Replies
Vladimir
Pearl

Re: Route Based VPN

Gaurav,

Please review the second portion of this How to configure IPsec VPN tunnel between Check Point Security Gateway and Amazon Web Services VPC u... 

to see the creation of the VPN community for route-based VPNs. It should be more broadly applicable than just AWS.

Cheers,

Vladimir

0 Kudos

Re: Route Based VPN

Thanks Vladimir for the response.

I will try it to configure.

0 Kudos

Re: Route Based VPN

Hi,

I have configured route based VPN but tunnel is not coming UP. fails at phase1. Just want to confirm that I have configured VTIs in correct manner.

Environment : Single GW (Not in cluster)

VTI : Local address - Public IP of My GW (External IP)

        Remote address - Public IP of Remote GW (External IP)

Static Route : Next hope is Public IP of Remote GW.

0 Kudos

Re: Route Based VPN

As I said in my post have a look at the first image, in the top left you enter the 169.254 addresses you get for local and remote, the look at the first lines of the CLISH code which configures the VTI's it shows you the 169.254 addresses, not the real IP's of the hosts.

For the routing you also use the 169.254 address as the next hop.

Regards, Maarten
0 Kudos

Re: Route Based VPN

Hi Maarten,

Thanks.

I have given IP address to VTI other than interface IP. We can also give private IP address as well. Now Tunnel is UP and working as expected.

I have also enabled OSPF and it is running fine.

0 Kudos

Re: Route Based VPN

Gaurav,

A while back I have created a template to be filled for a set of AWS tunnels with or without cluster, with or without BGP and this looks like this, below is the actual code created by the program:

Non cluster version

Cluster version:

This template was built with Filemaker Pro all you fill is the fields on the left top all the rest is filled based on that info.

Regards, Maarten

Re: Route Based VPN

Hi Maarten,

Really appreciated.

0 Kudos

Re: Route Based VPN

Hi,

I am summarizing the steps of route based VPN configuration so it will be helpful for others.

  1. Create empty encryption domains and assign to each gateway.
  2. Create VTI interface in Gaia webUI.  for remote peer use object name rather than IP.
  3. Add routes for remote side encryption domain toward VTI interface. - Here you can use static or any other dynamic routing protocol like OSPF.

Enabled OSPF on VTI interface

You can follow sk113735 for point 1-3 configuration. Please note that you can use any fake IP address as Local & Remote addresses.

  1. Fetch topology on gateway object in SmartDashboard.
  2. Add VIPs if cluster.
  3. Use the external interfaces in link selection.
  4. Add rules with directional VPN: source real encryption domains (not null domain), dest same, VPN column: internal_clear to VPN Community, VPN Community to VPN Community, and VPN Community to internal_clear in each VPN rule.

  1. Fw monitor shows little o go to VTI, and big O go to external interface, with external IP's.
0 Kudos
Dami
Ivory

Re: Route Based VPN

Thank you man for sharing... Life saver!

0 Kudos