cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

VPN and three sites

Hello

Three sites (1, 2, 3) all running R77.30.

Site2 acts a VPN hub, with both Site1 and Site3 having tunnels (to center only) established to Site2.

Encryption domains:

Site1: 1.1.1.1
Site2: 2.2.2.2
Site3: 3.3.3.3

We're trying to access Site3 from Site1 with the NAT rule on Site2:

Original Source: 1.1.1.1
Original Destination: 2.2.2.2
Translated Source: 2.2.2.2 (Hide)
Translation Destination: 3.3.3.3 (Hide)

Is this the right way to do it?

The NAT rule works. We see traffic encrypted from 1.1.1.1 to 2.2.2.2, but from 2.2.2.2 to 3.3.3.3, according to the tracker, it's sent in a clear text (just says Accept), although the rule number is correct and it's set to encrypt anything from 2.2.2.2 to 3.3.3.3 using Site2-to-Site3 VPN community.

Thank you.

Tags (2)
3 Replies

Re: VPN and three sites

Why would you do Natting?

First of all, what type of VPN community did you use, when you use a single Star topology just set the tunnel routing to route through center to other satellites.

Problem you run into is that the Gateway is handling the traffic as it sources from 1.1.1.1 to 3.3.3.3 as NATting takes place after the tunneling is handled, the traffic will only be tunneled when you enable the route through center.

Regards, Maarten

Re: VPN and three sites

Many thanks Maarten Sjouw‌.

I was confused about NATting order. So "route through center to other satellites" should be set on Site2 for both Site1 and Site2 communities, right?

And when it comes to the fw rule on Site2, what VPN Match Condition should be used? Any connections, or Only connections encrypted in specific VPN Communities with Site1 and Site2 communities selected?

0 Kudos

Re: VPN and three sites

You only create 1 star community and add site2 as the center and site1 and 3 as spokes, however, if you want all sites to be able to talk to each other directly you create a Mesh community and add all 3 sites to it.

I really don't use the VPN column in the rulebase. Are there specific reasons that site 1 cannot talk to site3 directly without natting? If not, don't. 

The whole VPN setup with Check Point is really simple, any site added to a community will allow traffic between those sites, based on the rulebases. When you do need to NAT between site 1 and site 3 better do it on the site 1 FW directly and don't send traffic through 2 tunnels when you can send it through 1.

Regards, Maarten