Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Aaron_Lee
Participant

Route a specific internet site through remote gateway

We use full mesh Check Point VPN, each site use a gateway for the Internet access ( local breakout), however there's a request to route a specific internet site through another VPN site which should deliver the traffic from that remote gateway and not the local breakout, anyone has any idea how this request can be achieved in Check Point VPN? Thanks in advance.

8 Replies
Gomboragchaa
Advisor

Hi,

I am not sure, But I think you cannot route to specific website through over another VPN.

You have only 2 options. Internet traffic goes over each gateway or All traffic through over central vpn firewall.

0 Kudos
_Val_
Admin
Admin

The scenario is not exactly clear. Could you put a short diagram together on what you are trying to do, please?

0 Kudos
Claudio_Bolcato
Contributor

the only thing comes to my mind is VTI and route based VPN, depending on your mesh community size.

0 Kudos
Timothy_Hall
Legend Legend
Legend

Perhaps configuring the file vpn_route.conf can help here?  Have seen it used before many times but admittedly not for traffic going to an Internet site...

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Aaron_Lee
Participant

Hi Timothy,

Thanks for your reply and we have tried this way, however when test the traffic we see the traffic sent to remote gateway through the VPN tunnel but after that the traffic was dropped on the remote gateway with this log:

encryption failure : according to the policy the package should not have been decrypted.

If the traffic is not an internet site, then it is ok.

0 Kudos
Vladimir
Champion
Champion

Configure  CP in the specific site as a non-transparent proxy mode (you can add an interface to anchor proxy functionality to it) and set up NAT to it in your branch gateway.

Create PAC file for the branch to define NATed proxy IP for the URL in question and exempt the rest of the web traffic using "Direct".

Tomas_Jurak
Explorer

Hmm, seemed like a good idea to me, but then I found an article stating that it can not work: HTTP and HTTPS traffic is dropped and/or latency is experienced when HTTP / HTTPS traffic goes throu... . My customer uses R77.30. Anyway, I will ask them to run a small virtual machine with squid or some other proxy, it should work.

Thanks!

0 Kudos
Vladimir
Champion
Champion

Just looked at the sk you are referencing. Perhaps it is applicable to R80+ as well, but these versions are not listed in the "Applies to" section.

You may want to run it by CP to figure out if it is still the case or if the product was modified to support it.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events