Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Marcel_Gramalla
Advisor

VPN Routing: Route all except for Internet traffic?

Hi,

we currently have a local Cluster of R77.30 Gateways with many VPN tunnels. We now want to install a bunch of centrally managed 1430 appliances in remote offices.

We normally use VPN Routing "To center, or through the center to other satellites, to internet and other VPN targets". The problem is that we want a local internet breakout on each remote office but need the "other VPN targets" from our local Cluster.

Is there a possibility to achieve this?

I appreciate your help

Marcel

28 Replies
Jerry
Mentor
Mentor

--sk86582--

$FWDIR/lib/crypt.def 

Jerry
0 Kudos
Marcel_Gramalla
Advisor

I know about the crypt.def but I don't understand how I could solve my problem with it. Can I negate the destination IP so that only private IPs are sent through the tunnel? Would something like this work?:

vpn_exclude_dst!={<10.0.0.0,10.255.255.255>}

Maybe you can help.

0 Kudos
_Val_
Admin
Admin

No

0 Kudos
Marcel_Gramalla
Advisor

Do you know how to get this working instead? I can't imagine that this is not possible.

0 Kudos
_Val_
Admin
Admin

It depends on a use case. The easiest way to set up VPN is to use simplified domain based option. I can only guess why you have decided to go for VPN routing instead.

0 Kudos
Marcel_Gramalla
Advisor

To make things clear I made a quick picture:

Short:

- Our main firewall has many VPN tunnels with other companys etc.

- Our remote offices have one VPN tunnel with our main firewall

- The remote offices have to access the other VPN tunnels through the main firewall

- The remote offices should use the local internet connections

Any idea?

_Val_
Admin
Admin

- The remote offices should use the local internet connections 

It is a standard S2S VPN setup. Use domain based VPN, it will work out of the box. If you need to route Site 1 to Site 2 through the main FW, there is an option under VPN Community / VPN Routing to do that.

 

This is also written in the documentation, look into the admin guides

Matthias_Haas
Advisor

Hi Valeri,

does you proposal also cover this requirement ?

- The remote offices have to access the other VPN tunnels through the main firewall

If this explanation is correct confused-about-vpn-routing-options (which I believe), then your proposal will only work, if all satellites are in the same VPN community, which is not the case in Macrels setup. Or am I wrong ?

Matthias

Marcel_Gramalla
Advisor

That's exactly my questions here. We normally have one community for a company - thats over 20 in total now. I tested again but it's not working. And I can't just put the remote office in the other community.

0 Kudos
Matthias_Haas
Advisor

Hi Marcel,

I believe  it will work only with a combination of Route Based VPN (for your 1430 appliances) and the Domain Based VPNs which I guess you have for your already established VPN Communites.

A mix of both modes on a gateway is possible as per sk109340

But: on a R77.30 Gateway, a Route based VPN would disable CoreXL: CoreXL Known Limitations, an update to R80.x might be an option.

Routed based VPN is supported on a 1430 appliance: Route Based VPN on R77.20.xx Gaia Embedded appliances but it will also disable Core XL.

You would have to test it carefully of course.

Matthias

0 Kudos
Marcel_Gramalla
Advisor

Hi Matthias,

thanks for your help. That sounds like an option but a pretty complex one...if there is no easy way to achieve this we will route all traffic through our main firewall. It works even if it's not the ideal solution.

0 Kudos
Maarten_Sjouw
Champion
Champion

Why do you want to route traffic between remote sites through the center? Why don't you just use a simple Mesh community and allow the sites to talk to each other directly?

Regards, Maarten
0 Kudos
Marcel_Gramalla
Advisor

I don't want to connect the remote offices but everyone has to access other VPN connections that we don't manage. It's not possible to change the whole VPN contruct here.

0 Kudos
_Val_
Admin
Admin

You over-complicate the issue. What you need is a single Star VPN community with your main cluster as center and remote offices are satellites.  The second option, "to center and other satellites through enter" gives you what you need.

There is one caveat, not related to VPN. Make sure each of satellites has a different internal network IP range OR does unique NAT for internal addresses.

0 Kudos
Marcel_Gramalla
Advisor

It would be nice if I over-complicate the issue but I don't think so. The main point is:

- The remote offices have to access the other VPN tunnels through the main firewall

Every remote office has to access e.g. the Google Cloud via VPN but the connection has to go through the main firewall. And I cannot build a complete new setup where I only have one community for all VPNs.

Your solution doesn't work because the remote offices wouldn't route traffic for the Google Cloud to the main firewall. I double tested this scenario.

_Val_
Admin
Admin

Got it.

How is Google Cloud VPN configured on your main GW? If it is a community, you could enable directional VPN rules in your policy and do something like this:



You need to configure routing on the main GW that would make sure one tunnel cleart ext would go to another.

Did you consider such setup?

0 Kudos
Marcel_Gramalla
Advisor

Hi Valeri,

thank you for this option I never looked at. It quite nice in some other rules Smiley Happy

But the problem still exists on the given setup. The problem is that the remote offices try to send traffic to e.g. the Google Cloud through the internet when the VPN routing isn't set to the third option. And if I do that everything is send through the tunnel.

Maybe I misunderstood you but the problem is still the same. And route based VPN is no option because of CoreXL etc.

Do you have any idea left? Maybe it's something that isn't possible no matter how long we think about it...

0 Kudos
_Val_
Admin
Admin

Hello, how is Google Cloud VPN configured on your main cluster? Is it a community?

0 Kudos
Marcel_Gramalla
Advisor

Sorry, it's configured as a star community with our main cluster as center. VPN routing is set to the second option.

0 Kudos
_Val_
Admin
Admin

Okay. 

Traffic between two communities can be routed with standard means. Since both communities: Google Cloud <-> Main Cluster & Main Cluster <-> Branch Offices are working, the only missing link is routing on the main cluster.  Look into that. 

Ted_Serreyn
Collaborator

I too have just hit this exact scenario.

0.  Started with a third party vpn with a center site with encryption domain with ALL networks.  VPN traffic always routed thru center site over MPLS.

1. VPN community1 designed for MPLS backup.   MPLSbackupcommunity works and all site are accessible via remote client thru center site.  VPN option is set to second option.

2.  Internet access goes out local firewall.

3.  Second VPN community to third party.  Third party community works and is accessible via remote remote client thru center site.

 

So I see two options:

 

1.  Add all remote sites with firewalls to third party VPN.  Not an easy to implement as third party was already defined with all remote sites.  We do not have the ability to change the remote side of the third party vpn.

2.  Set VPN option to third choice and route all internet AND VPN traffic thru center site.  Bad choice due to the increased load on the internet connection on the center site.

 

The question remains how to do third option on VPN, but still allow internet access out the remote local firewall.

0 Kudos
Maarten_Sjouw
Champion
Champion

when you have 2 Star topologies, 1 with all Check Point managed own gateways and one with a 3rd party VPN you will find that traffic from a CP satellite will be routed through the VPN to the center. The next VPN however does not accept your remotes' IP range when this has not been added to your 3rd party side as living behind your gateway.
In other words, your 3rd party needs to know about your satellites' networks or it will never accept traffic from them.
Regards, Maarten
0 Kudos
Ted_Serreyn
Collaborator

This is exactly why I specified 0 above.  The third party already knows about all the remote sites and routes them back to the center site over the VPN.  The encryption domain changed from center site networks + all remote site networks, to just center site networks.

 

 

Problem is how to get the remote sites to route their traffic to the center site over the vpn without routing internet traffic over the vpn.

 

We really need a 4th VPN option:

 

Allow traffic to center, other remote sites, and other VPN sites thru center gateway.

 

 

 

0 Kudos
Maarten_Sjouw
Champion
Champion

Using option 2 you should see traffic for the 3rd party routed through the VPN.
Regards, Maarten
0 Kudos
Ted_Serreyn
Collaborator

nope option 2 is for other remote sites thru center, NOT different vpn community. I had to re-read it closely myself.
0 Kudos
Maarten_Sjouw
Champion
Champion

Have you tried and checked the logs?
Regards, Maarten
0 Kudos
Ted_Serreyn
Collaborator

yes, which is why I am posting here.
0 Kudos
Hitesh_Brahmbha
Participant

Hi Marcel,

Did you get the resolution for the posted issue? I'm also facing the same issue with the local internet breakout requirement.

vpn_exclude_src1={<192.168.200.1,192.168.200.254>};

vpn_exclude_dst1={<0.0.0.0,0.0.0.0>};

 

#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES ((src1 in vpn_exclude_src) and (dst1 in vpn_exclude_dst))
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif

Is this right condition to exclude the internet traffic for the 192.168.200.0/24 network from the VPN?

 

Thanks in advance!!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events