Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Attiq786
Participant

Cross community VPN traffic

Hi All,

We have 7 SMB(1570) appliances on different sites worldwide. all have site to site VPNs between them.

There is a requirement to establish Azure Cloud VPN and we can create only 4 tunnels maximum.

remaining three sites will need to go through our HQ SMB gateway for Cloud access.

is it possible to have cross-community communication between remaining sites and the cloud, through HQ on SMB appliances?

rather than using enc domains, if i use routing for this, will it work?

 

Regards

Attiq

0 Kudos
7 Replies
G_W_Albrecht
Legend
Legend

Why not go for a star topology ? See Check Point 1400 Appliances Locally Managed Administration Guide R77.20.87 p.164f:

  • VPN star community – One gateway is the center and routes all traffic (encrypted and internet traffic of the remote peer) to the internet and back to the remote peer. The peer gateway is a satellite and is configured to route all its traffic through the center.

    For examples of when to use a mesh or star community, see VPN Community Use Cases (on page 165).

CCSE CCTE CCSM SMB Specialist
0 Kudos
Attiq786
Participant

Thanks @G_W_Albrecht 

I was not sure if I route all traffic through Centre then it will not direct the traffic out to internet rather than going through the Cloud Tunnel. as there is no option to have a multi site community in SMB.  But I guess if I have the set Enc Domain for the cloud tunnel correctly, it will.

also did not want to route all internet traffic through, but I will try. Thanks for the suggestion.

0 Kudos
Bob_Zimmerman
Authority
Authority

How are the devices managed? If you are managing them with a SmartCenter, there are three options:

  1. Satellites to center only
  2. Satellites to center and through center to other satellites
  3. Satellites to center and through center to other satellites and the Internet

Just set up your Azure tunnel as another satellite in the community, pick the second option, and your Internet traffic won't go through the center.

0 Kudos
G_W_Albrecht
Legend
Legend

Having a central GAiA GW with SMS in the star topology would be preferable - but here we only have 7 SMB (1570) appliances locally managed. Only 3. is supported in this case!

 

CCSE CCTE CCSM SMB Specialist
0 Kudos
Attiq786
Participant

@G_W_Albrecht  yes that's correct. all locally managed. I would have loved the Central Management solution, but it was already decided/configured before I took over the project. Nevertheless we might distribute the traffic through 3 different gateways rather than having all the load on only one.

0 Kudos
G_W_Albrecht
Legend
Legend

Another possible configuration without SmartDashboard would be using vpn_route.conf to configure VPN Routing in Domain Based VPN like we read in sk69726: VPN Routing does not work and traffic to other satellites leaves in "clear" when setting up...

This sk is for central management, but using local /opt/fw1/lib/vpn_route.conf has the same effect - this is linked in /pfrm2.0/config1/ or /pfrm2.0/config2/vpn_route.conf

All details can be found in https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_SitetoSiteVPN_AdminGuide/Con...

After the changes, new vpn setting can be applied locally without reboot using

vpn_configload

If this does not do the trick, maybe we need:

# fw_configload
# sfwd_restart

CCSE CCTE CCSM SMB Specialist
0 Kudos
G_W_Albrecht
Legend
Legend

But to be on the safe side, i would evaluate this information and open a TAC case to get the confirmation that this is a supported configuration.

CCSE CCTE CCSM SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events