Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

Route Based VPN - Configuration

Hello Checkmates, 

I am  implementing a hub and spoke topology using Checkpoint devices across our MPLS. All spoke checkpoint devices will be configured to route to the internet via the Hub Checkpoint. 

I am trying to setup Route based VPNs and I need some clarifications on the following. 

First is VTI supposed to work like GRE tunnels (we define tunnel local IPs, tunnel source and tunnel destination)? since it also allows routing protocols through IPSec tunnels.  

2. Remote Address under the VTI - Is this suppose to be  the public IP of the peer gateway's external interface  or the local Private IP on the VTI of peer gateway.  Image below from checkpoint support center shows local (10.10.10.10) and remote (20.20.20.20). I was thinking they have to be on the same subnet for reachability  (local 10.10.10.10 and remote 10.10.10.11)   

img 3.PNG

3. For OSPF routing  I am using the GUI configuration - Do I have to select the VTI as part of the ospf interfaces for it form neighborship with the peer? I have selected all active LAN interfaces on the Checkpoint devices and I plan to use ospf default information originate to pass default route from Hub to Spoke devices. 

 

Thank you in anticipation. 

 

0 Kudos
1 Reply
Highlighted
Admin
Admin

VTI is similar to GRE in that traffic routed through the interface is encrypted.
The difference with VTI is that the encapsulation is IPSEC.
VTI interfaces are "point to point" and do not have to be on the same subnet.
The VTI IP addresses are private.
If you want OSPF to communicate routes over the VTI interface to the peer at the other end, it must be enabled on both ends of the VTI interface.
0 Kudos