VPN Routing - Way of directing communication through a specific VPN tunnel in order to enhance existing connectivity or security. In addition, VPN routing can be used to reduce connectivity costs.
- Domain Based VPN - VPN traffic is routed within the VPN community based on the encryption domain behind each Security Gateway in the community.
In a Star community, this allows satellite Security Gateways to communicate with each other through central Security Gateways.
Configuration for Domain Based VPN is performed directly through SmartDashboard.
- Route Based VPN - VPN traffic is routed within the VPN community based on the routing information, static or dynamic, configured on the Operating Systems of the Security Gateways.
SmartDashboard configuration allows routing the traffic between Satellites via the Center and between Satellites and the Internet (route all traffic via the center). "Manual" routing configuration is available via the $FWDIR/conf/vpn_route.conf file on the Security Management Server.
Notes:
- VPN Routing is supported only with a Simplified VPN Mode Security Policy.
- If both Domain Based VPN and Route Based VPN are configured, then Domain Based VPN will take precedence.
- Route Based VPN is not supported with IKEv2.
What is route-based VPN?
https://support.checkpoint.com/results/sk/sk30975
For route based you need VTI's:
VPN Tunnel Interface (VTI) - Virtual Interface on a Security Gateway that is related to a VPN tunnel and connects to a remote VPN peer. You create a VTI on each Security Gateway that connects to the VTI on a remote VPN peer. Traffic routed from the local Security Gateway via the VTI is transferred encrypted to the associated peer Security Gateway.
A Virtual Interface behaves like a Point-to-Point interface directly connected to the remote VPN peer. Traffic between network hosts is routed into the VPN tunnel using the IP routing mechanism of the Operating System.
Security Gateway objects are still required, as well as VPN communities (and access control policies) to define which tunnels are available. However, VPN encryption domains for each peer Security Gateway are no longer necessary. The decision whether or not to encrypt depends on whether the traffic is routed through a virtual interface.
The routing changes dynamically if a dynamic routing protocol (OSPF/BGP) is available on the network.
The VTI can be configured in two ways:
- Numbered - Local IP address and remote IP address are configured for each numbered VPN Tunnel Interface (VTI). For each Security Gateway, the following are configured: a local IP address, a remote address, and the local IP address source for outbound connections to the tunnel. The remote IP address must be the local IP address on the remote peer Security Gateway. More than one VTI can use the same IP Address, but they cannot use an existing physical interface IP address.
- Unnumbered - For unnumbered VTIs, a proxy interface is defined for each Security Gateway. Each Security Gateway uses the proxy interface IP address as the source for outbound traffic. Unnumbered interfaces let administrator assign and manage one IP address for each interface. Proxy interfaces can be physical or loopback interfaces.
VTIs allow the ability to use Dynamic Routing Protocols to exchange routing information between Security Gateways. The supported Dynamic Routing Protocols are:
Consider also reading these parts of admin guide:
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Con...
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Con...
-------
If you like this post please give a thumbs up(kudo)! 🙂