Re: Cross community VPN traffic

Attiq786 · ‎2021-03-24

Hi All,

We have 7 SMB(1570) appliances on different sites worldwide. all have site to site VPNs between them.

There is a requirement to establish Azure Cloud VPN and we can create only 4 tunnels maximum.

remaining three sites will need to go through our HQ SMB gateway for Cloud access.

is it possible to have cross-community communication between remaining sites and the cloud, through HQ on SMB appliances?

rather than using enc domains, if i use routing for this, will it work?

Regards

Attiq

G_W_Albrecht · ‎2021-03-24

Why not go for a star topology ? See Check Point 1400 Appliances Locally Managed Administration Guide R77.20.87 p.164f:

VPN star community – One gateway is the center and routes all traffic (encrypted and internet traffic of the remote peer) to the internet and back to the remote peer. The peer gateway is a satellite and is configured to route all its traffic through the center.

For examples of when to use a mesh or star community, see VPN Community Use Cases (on page 165).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Attiq786 · ‎2021-03-24

Thanks @G_W_Albrecht

I was not sure if I route all traffic through Centre then it will not direct the traffic out to internet rather than going through the Cloud Tunnel. as there is no option to have a multi site community in SMB. But I guess if I have the set Enc Domain for the cloud tunnel correctly, it will.

also did not want to route all internet traffic through, but I will try. Thanks for the suggestion.

Bob_Zimmerman · ‎2021-03-24

How are the devices managed? If you are managing them with a SmartCenter, there are three options:

Satellites to center only
Satellites to center and through center to other satellites
Satellites to center and through center to other satellites and the Internet

Just set up your Azure tunnel as another satellite in the community, pick the second option, and your Internet traffic won't go through the center.

G_W_Albrecht · ‎2021-03-24

Having a central GAiA GW with SMS in the star topology would be preferable - but here we only have 7 SMB (1570) appliances locally managed. Only 3. is supported in this case!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Attiq786 · ‎2021-03-25

@G_W_Albrecht yes that's correct. all locally managed. I would have loved the Central Management solution, but it was already decided/configured before I took over the project. Nevertheless we might distribute the traffic through 3 different gateways rather than having all the load on only one.

G_W_Albrecht · ‎2021-03-25

Another possible configuration without SmartDashboard would be using vpn_route.conf to configure VPN Routing in Domain Based VPN like we read in sk69726: VPN Routing does not work and traffic to other satellites leaves in "clear" when setting up...

This sk is for central management, but using local /opt/fw1/lib/vpn_route.conf has the same effect - this is linked in /pfrm2.0/config1/ or /pfrm2.0/config2/vpn_route.conf

All details can be found in https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_SitetoSiteVPN_AdminGuide/Con...

After the changes, new vpn setting can be applied locally without reboot using

# vpn_configload

If this does not do the trick, maybe we need:

# fw_configload
# sfwd_restart

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht · ‎2021-03-25

But to be on the safe side, i would evaluate this information and open a TAC case to get the confirmation that this is a supported configuration.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Are you a member of CheckMates?

Cross community VPN traffic