This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
michaelsharet
Explorer
‎2023-10-19 06:20 AM

VPN

Hello everyone!
I need your help...

 

 

I have 3 different FW clusters on my network, on different sites, let's call them:

Cluster 1 at site 1 (holds network A)

Cluster 2 at site 2 (holds network B)

Cluster 3 at site 3 (holds network C)

 

while each of them is responsible for a network:

10.0.0.0/24 Network A

20.0.0.0/24 Network B

30.0.0.0/24 Network C

 

I point out that in each of the sites where there is a cluster, the FW also has legs for the benefit of the other networks, for users of these networks who are on these sites.

 

In addition to this I have several small satellite sites where there are users who will connect to any of my networks.

 

I created 3 VPN Community between the relevant satellite sites and the clusters in a star configuration, for the benefit of each of the networks.

That is, I have 3 VPN Communities, each of which has a different cluster that is defined as a Center and a number of small FWs that are defined as satellites.

The sites themselves have an encryption domain that contains all the networks that exist on the site.

 

This is my existing situation, now I will explain the problem...

When I am at a satellite site sending a ping from a computer located on network A to a computer at another satellite site on the same network (A), I expect the traffic to go through cluster 1 that holds network A, and from there to the other satellite site.

What actually happens is that when I send a ping from one satellite site on network A to another site on network A, I recognize that the traffic goes through cluster 2, for example, which serves as a center for VPN Community that is not relevant to network A.

 

I saw that there is an option to define in the Rule itself which VPN it will be associated with, I tried it and the situation did not change.

  1. Is this the normal situation?
  2. If this is not a normal situation, what do I need to change / specify in order for it to be resolved?

 

I would appreciate your advice

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2023-10-19 01:35 PM

Version/JHF in use?
All clusters are managed by the same management?
Not sure why you need three different VPN communities here when a single one should suffice.

0 Kudos
michaelsharet
Explorer
‎2023-10-21 11:49 PM
In response to PhoneBoy

Hi good morning,
All managed through one management in version R81.10 
My clusters are version 81, and various versions of GHF.

Could you explain to me in more detail why 3 different VPNs for my case are not necessary, and why it is better to make one?

I mention again, I have 3 different networks that I want full partitioning.

 

Thank you very much for your response

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-10-22 02:49 AM
In response to michaelsharet

Because it is only more work but no better result. See https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Con...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
(1)
michaelsharet
Explorer
‎2023-10-22 04:35 AM
In response to G_W_Albrecht

So if I understand you correctly, I need to create one VPN C in which I have the 3 clusters in the center and all the other small remote sites in the satellites? And this way I get the same result as I have today?

And what about my question is it supposed to work like this? Every small website when looking for a certain network should not go directly to the cluster that owns that network?

What you are proposing is only an "improvement" of the situation I have today... I want to understand if it is normal and how it can be adjusted if not

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-10-22 11:20 AM
In response to michaelsharet

This is what you need to do. Create ONE star community, with clusters as center gateways, others as satellite and adjust below.

Andy

 
 

Screenshot_1.png

 

Screenshot_2.png

  • To center only . No VPN routing actually occurs. Only connections between the satellite gateways and central gateway go through the VPN tunnel. Other connections are routed in the normal way

  • To center and to other satellites through center . Use VPN routing for connection between satellites. Every packet passing from a satellite gateway to another satellite gateway is routed through the central gateway. Connection between satellite gateways and gateways that do not belong to the community are routed in the normal way.

  • To center, or through the center to other satellites, to internet and other VPN targets . Use VPN routing for every connection a satellite gateway handles. Packets sent by a satellite gateway pass through the VPN tunnel to the central gateway before being routed to the destination address.

 

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-23 10:32 AM
In response to michaelsharet

I believe it is your current configuration that is causing the behavior you're seeing.
It should disappear when you move to a single VPN Community (properly configured of course).

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-10-24 12:23 AM
In response to michaelsharet

I do not understand your questions as they are covered in referenced admin guide. Did you study the Admin guide well ? https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Con...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events