Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
cryptochrome
Collaborator

Help me understand split tunneling modes

Hello,

I am having a bit of trouble grasping split tunneling in SASE, as I am getting some contradicting information.

Question:

Does "Full Tunnel" still allow access to the local LAN (directly connected network), or will that traffic be routed to the SASE network?

I have spoken to Support about this and received different answers. Yes, and no. 

Assuming it's no, I would have to switch to Exclude mode if I want to avoid local traffic to be routed into the SASE network. In that case, how can I establish cross-site communications?

Example:

Site 1: 192.168.0.0/24
Site 2: 10.10.10.0/24

Two IPSec tunnels, connecting each site to Harmony SASE. Split Tunnel configuration set to exclude both networks, so each network can access local ressources without going through the SASE tunnel. 

In that scenario, how would 192.168.0.0/24 communicate with 10.10.10.0/24 (and vice versa), given both are now excluded from the tunnel? Would I set up static routes in the SASE network?

 

0 Kudos
16 Replies
the_rock
Legend
Legend

I will let someone else confirm for sure, but my educated guess would be yes, based on below document.

Andy

https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/SASE-Admin-Guide/CP_Harmony_S...

cryptochrome
Collaborator

Thanks Andy. So the routes would override (take precedence) over the split tunnel config? If I exclude 192.168.0.0/24 in split tunnel, but then add a route for the same network, it would work? 

It seems a bit counter-intuitive, as that would tell the clients, hey listen, 192.168.0.0/24 is excluded in split tunnel so you can reach your local printer without going through the VPN, but hey, here is a route for 192.168.0.0/24 that sends traffic into the VPN...

In a "classical" network, the locally connected subnet would have a lower metric, so it would always be routed locally, but I am not sure with this one. 

 

0 Kudos
the_rock
Legend
Legend

I believe thats what the option of "include" and "exclude" is for within the split tunneling setting in sase portal. I dont have access to it atm, but will check it tomorrow and confirm.

I get what you are saying about the routes, its 100% true that in classic network, locally connected subnet would have lower metric.

Andy

0 Kudos
the_rock
Legend
Legend

I found screenshot I took of it last week. Based on this, Im pretty sure that with full tunnel, EVERYTHING would be routed through the tunnel itself (SASE)

Andy

 

Screenshot_1.png

0 Kudos
cryptochrome
Collaborator

Thanks Andy. So I guess the correct steps would be:

* Exclude local networks in Split Tuneling
* Add routes to these networks in routing config, pointing to tunnel interfaces

I am going to play around with this a bit.

the_rock
Legend
Legend

I will check how my colleague and I did it for the customer, but that sounds 100% right. Give me about an hour brother.

Andy

0 Kudos
the_rock
Legend
Legend

You got it, I just confirmed, though I had a gut feeling thats how it was. I also included post I made about route based tunnels explaining all this and also couple screenshots to help you out. MAKE SURE peer in VTI settings is same as interoperable object, otherwise, it wont work. If you need remote session, happy to help. There is also text file my colleague and I put together few years ago I attached in that post, it lists step by step as far as Azure config.

Andy

 

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

 

 

 

Screenshot_1.png

 

 

Screenshot_2.png

 P.S. I feel this is important to say...we usually pick UNNUMBERED vti, because this customer uses BGP, but even if someone does not, it would still work, This is somewhat relevant, because some people may "freak out" in such case, when you get interface without topology, you will see vti with EXACT same IP address as interfact it "hangs" off, but its totally NORMAL.

Anyway, thats all I can think of for now mate 🙂

0 Kudos
cryptochrome
Collaborator

Hey Andy, thanks for confirming 🍻  But I think the article/screenshots are related to Gateway/Firewall, not SASE 🙂  But I get the gist of it. Cheers!

 

0 Kudos
the_rock
Legend
Legend

Yes, I know, thats on Gaia side, cause on SASE end, all you need to do is make sure you correctly indicate include/exclude options and also networks tab. There is no, per se, routing config you modify.

Andy

0 Kudos
cryptochrome
Collaborator

Hm ok, that kind of puts me back to square one (pardon me, I am slow :D). If all I do is the exclusion, then I still have the problem that once excluded, Site 1 can't talk to Site 2 (and vice versa), as both networks are excluded from the tunnel. 

There is a routing config in SASE. It allows me to specify a destination network and the tunnel traffic should flow through. 

 

0 Kudos
the_rock
Legend
Legend

All good mate, its fairly new to all of us. I cant find anything about it, UNLESS below is what you meant?

Andy

 

Screenshot_1.png

0 Kudos
cryptochrome
Collaborator

Not quite, but this:

 

Screenshot 2024-10-23 at 17.13.15@2x.png

There is a routing table. I think this is what I need. It auto-populated for another site that is using the Linux connector rather than an IPSec tunnel. 

0 Kudos
the_rock
Legend
Legend

100% thats what you need, sorry, I was looking at the wrong place, apologies.

Andy

 

Screenshot_1.png

the_rock
Legend
Legend

@cryptochrome For the context, in case this may help someone else, this is where it is in the portal.

Andy

 

 

 

Screenshot_2.png

 

the_rock
Legend
Legend

Updated screencap 🙂

 

Screenshot_1.png

the_rock
Legend
Legend

@cryptochrome 

Does it make sense what I mentioned about routing part? If still not clear, please let me know and can test.

Andy

0 Kudos
Upcoming Events

    CheckMates Events