This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
maad-pul
Contributor
‎2023-01-05 06:03 AM

Site to Site VPN - Remote Network not routed via default-route

Hi,

I have a setup where I route 10.210.0.0/16 to WAN-MPLS service provider, each Office/Shop has its own /24 network within this /16.
I have a problem with MPLS-Fiber is broken to one Office, so I would like to run this network (10.210.3.0/24) over Site 2 Site VPN instead.  Can this be done in 81.10 with latest jumbo and Cloud Guard HA-gateway pair?

I think I have had problem with this in VSX back in the days (don´t know which version).
In Cisco ASA I can handle this problem by routing 10.210.3.0/24 to default gatway for the internet. I didn´t get this worked back in the days in Check Point, the solution was to start subnet routing to MPLS with smaller net so 10.210.3.0/24 used default route to ISP. Check Point VSX couldn´t build a VPN-tunnel when network in Remote VPN domain was included in a route to a MPLS provider instead of default route.

 

10.210.1.0/24 -> MPLS
10.210.2.0/24 -> MPLS
--- 10.210.3.0/24 --- SKIPPED AND DEFAULT ROUTE USED
10.210.4.0/24 -> MPLS
10.210.5.0/24 -> MPLS

Whats your thought about this? Can you have a Remote Network via Site to Site VPN thats routed to someting elese then default route within Check Point infrastrucutre. The VPN-setup is old school with VPN-domains etc. VTI maybe can solve the issue?.

Regards
Mattias

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2023-01-05 11:56 AM

There isn’t a specific requirement to route VPN traffic out the default route.
In fact, if you’re using Link Selection with multiple interfaces, you actually need to use non-default routes to reach certain destinations and use the correct IP.

Where you might have had issues is with the encryption domain and routing.
And yes, you do need to be mindful of that.
Using VTIs (with a “null” encryption domain) should work also.

0 Kudos
Wolfgang
Authority
Authority
‎2023-01-05 12:32 PM

@maad-pul if subnet 10.210.3.0/24 is configured in the enctryption domain of your remote gateway the VPN will be used, no route needed.

Usually you can configure a high available connection with one MPLS connection and VPN as backup How To Create a Redundant, Service-based MPLS/Encrypted Link VPN 

0 Kudos
maad-pul
Contributor
‎2023-01-05 01:09 PM
In response to Wolfgang

Just for information, Remote Device is an 3rd-party device (Interoperable Device). I don´t know if this change your opintion that this setup will be working? I haven´t have time to set up a lab yet, but as I said, according to information from a few years back I had problem in my VSX-environment to handle VPN when remote destination network were included in a "bigger" static route to MPLS provider. 

0 Kudos
Wolfgang
Authority
Authority
‎2023-01-05 09:32 PM
In response to maad-pul

@maad-pul The mentioned solution does not work with third party devices. Your line is lost at the moment. Why not setting up the correct VPN configuration for the known remote network and additional you can configure a route for your smaller remote network via the default gateway. You‘re known problems are a few years back, you can give it a try now.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events