Hello

I have three CP appliances connected via 192.168.20.0/24 network with internet access via 192.168.20.1.

GW-Central:

WAN IP: 192.168.20.70

LAN IP: 10.94.0.100/24

GW-SiteA

WAN IP: 192.168.20.80

LAN IP: 10.0.80.1/24

GW-SiteB

WAN IP: 192.168.20.90

LAN IP: 10.0.80.1/24

I used this document as guide:

How to Set Up a Site-to-Site VPN with Check Point Gateways Managed by the same Management Server

So I have defined:

Local-LAN: 10.94.0.0/24 with NAT to 192.168.20.70

SiteA-LAN: 10.0.80.0/24 with NAT to 192.168.20.70

SiteB-LAN: 10.0.90.0/24 with NAT to 192.168.20.70

In gateway properties I've change VPN Domain to defined LAN network.

For GW-Central Local-LAN is selected

For GW-SiteA SiteA-LAN is selected

For GW-SiteB SiteB-LAN is selected

I have created VPN star Community, set GW-Central as Center Gateway, GW-SiteA and GW-SiteB as Satelitte Gateways

In VPN Routing I've selected "To center or through center to other satellites, to Internet and other VPN targets"

I've added Access Policy to allow traffic between Sites and Center GW and Sites to Internet

It works almost fine, so:

I have internet access from LAN in both Sites (via Central GW) - checked with traceroute

I have full network visibility between LANs (Site A to Site B, Site B to Central, Site A to central and so on)

I'm unable to synchronize clocks via NTP on Satellite appliances.

From CLI on satellite appliance, I'm unable to ping 8.8.8.8, 192.168.20.1. DNS resolution doesn't work.

However I'm able to ping Central and other Satellite LAN  addresses.

In the same time, I can find log entry with dropped packet from SiteA/SiteB to 8.8.8.8 with "Security warning: received a cleartext packet within an encrypted connection.

What am I missing?