This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
speedbot33
Participant
‎2024-09-04 03:10 PM
Jump to solution

Site to Site VPN(Route Based) between two clusters

Hello,

Currently trying to bring up a route based S2S VPN between my two sites which each has 2 GW  in ClusterXL each and if it's possible your help on confirming this design.

This is based on this reference, but it kinda threw me off:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Gaia_AdminGuide/Content/Topi...

 

Also, I'm planning to use static routes, not dynamic routing. So, what's the next hop supposed to be?

I've attached a HLD for a better view of I think I'm supposed to configure.

 

PS: I've already configured VPN Community and a VPN Domain with an Empty Group as required.

Thanks!

 

Preview file
52 KB
0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Gold
MVP Gold
‎2024-09-05 08:11 AM
In response to speedbot33
Jump to solution

1) Thats right, star is fine, no it should not have any impact

2) You can use unnumbered VTIs, though I found thats probably more must if you use BGP, but even if you dont, its fine, just dont "freak out" when you see vti pop up with SAME ip as external, thats totally fine and expected, as it would "piggy off" that interface

3) Yes, BUT, make sure when you create a route it points to REMOTE subnet and dg is actual VTI

I mentioned all this in post I made I referenced to. 

Andy

View solution in original post

12 Replies
the_rock
MVP Gold
MVP Gold
‎2024-09-04 05:27 PM
Jump to solution

So what exactly is failing? Do you see phase 1 and 2 completing?

Andy

0 Kudos
speedbot33
Participant
‎2024-09-04 06:32 PM
In response to the_rock
Jump to solution

Nothing is failing since I haven't completed the config. My question is specifically regarding the VTIs when GWs are clustered. Please see the attached HLD. 

ClusterA          ClusterB 

Gw1>>>>>>>>>>Gw1

Gw2>>>>>>>>>>Gw2

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-09-04 06:34 PM
In response to speedbot33
Jump to solution

Ok, got it. Check out my post below about how this should be configured, though its with Azuire, its similar.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

If still not clear, let me know.

0 Kudos
speedbot33
Participant
‎2024-09-05 07:48 AM
In response to the_rock
Jump to solution

Tnks! The way I see it based on the data you provided:

-Use STAR community instead of Mesh(what I have configured, I figured since they're two clusters P2P ) - What about the whole Center/Hub - spoke thing in STAR? Will that have any impact?
-Use unnumbered VTIs 
-Static routes pointing towards external intf.

-

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-09-05 08:11 AM
In response to speedbot33
Jump to solution

1) Thats right, star is fine, no it should not have any impact

2) You can use unnumbered VTIs, though I found thats probably more must if you use BGP, but even if you dont, its fine, just dont "freak out" when you see vti pop up with SAME ip as external, thats totally fine and expected, as it would "piggy off" that interface

3) Yes, BUT, make sure when you create a route it points to REMOTE subnet and dg is actual VTI

I mentioned all this in post I made I referenced to. 

Andy

speedbot33
Participant
‎2024-09-05 08:36 AM
In response to the_rock
Jump to solution

Got it! And about which one should be center and satellite? What's the best practice?, no SK mentions that!

Also, tunnel management and VPN routing?

I keep thinking that having two clusters on each site it is somewhat different than with a 'cloud based' peer lol!

Based on your worddoc, you placed AZURE as satellite, but in my case, again two clusters managed by the same SMS.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-09-05 09:01 AM
In response to speedbot33
Jump to solution

I guess in your case it should not matter, honestly...either one can be centre. VPN routing? Well, are you doing any?

Below is description of those options.

Andy

 

  • To center only . No VPN routing actually occurs. Only connections between the satellite gateways and central gateway go through the VPN tunnel. Other connections are routed in the normal way

  • To center and to other satellites through center . Use VPN routing for connection between satellites. Every packet passing from a satellite gateway to another satellite gateway is routed through the central gateway. Connection between satellite gateways and gateways that do not belong to the community are routed in the normal way.

  • To center, or through the center to other satellites, to internet and other VPN targets . Use VPN routing for every connection a satellite gateway handles. Packets sent by a satellite gateway pass through the VPN tunnel to the central gateway before being routed to the destination address.

the_rock
MVP Gold
MVP Gold
‎2024-09-05 09:22 AM
In response to the_rock
Jump to solution

@speedbot33 Ping me any time privately if you need help, I respond to all messages.

Andy

0 Kudos
speedbot33
Participant
‎2024-09-05 09:25 AM
In response to the_rock
Jump to solution

Thanks a lot Andy! I will take you up on that! let me give it a go with what I've gathered so far and let you know.

the_rock
MVP Gold
MVP Gold
‎2024-09-05 09:28 AM
In response to speedbot33
Jump to solution

Any time. I had someone else message about it few months back and I told guy what to do and worked right away. He was very grateful, as he told me he's been trying to get it work for 6 months, even had TAC case about it, but nothing happened. But, I get the situation...its never easy to fix anything complicated like that unless you have working lab, otherwise, you just keep guessing and thats no way to really fix things lol

Andy

0 Kudos
speedbot33
Participant
‎2024-09-05 09:35 AM
In response to the_rock
Jump to solution

I've tried several times to boot up an virtual GW in EVENG but to no avail. 

 

Btw - I appreciate giving me the heads up on vti placing the external IP - After I pulled interfaces WITHOUT topology - boom. This my first foray into Unnumbered interfaces with CP.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-09-05 09:37 AM
In response to speedbot33
Jump to solution

Try different NIC types, I always choose vmxnet, no issues.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events