Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gaetano_Nicosia
Participant

Routing on VPN

Good Morning,

I need to connect via site-to-site VPN from site A where the CP 730 appliance firewall is installed to site B where a Sophos firewall is installed that I do not manage.

The site-to-site VPN works correctly and is active.

The Requests from clients of site A that may belong to different VLANs (see the table) must be routed to site B.

SITE A (CHECK POINT 730) TO SITE B (SOPHOS)Destination IP Subnet
Source IP Subnet 
192.168.1.0/24 (Site A)172.20.43.0/24 (Site B)
192.168.10.0/24 (Site A)172.20.43.0/24 (Site B)
192.168.201.0/24 (Site A)172.20.43.0/24 (Site B)

Unfortunately I can't route them correctly.

I used Tracert and it seems that they are routed through the Internet instead of through VPN.

Can you help me to solve the problem?

Thanks and Best Regards

Gaetano

0 Kudos
7 Replies
KennyManrique
Advisor

Hi Gaetano,

I assume you're using Domain based VPN. Could you share with us both encryption domain objects?

0 Kudos
PhoneBoy
Admin
Admin

It’s a 730, which is managed locally.
And the message should have been posted in the SMB space,
But yes, let’s see precisely how you’ve configured the VPN, specifically the remote Encryption Domain.

0 Kudos
Gaetano_Nicosia
Participant

Thank You for reply.

I opened the Firewall GUI and edited the VPN. Please see the picture for the vpn configuration

remotesite.png

In the Advanced tab I don't find the encryption domain, but only in the TAB Remote site.

In Remote Site Encryption domain I have these methods:

  1. Define Remote network topology manually
  2. Route all traffic through this site
  3. Encrypt according to routing table
  4. Hydden behind external IP of the remote gateway

Is the point 1) the correct configuration?

Also this is the configuration in the Advanced TABadvanced.png

And this is the configuration in the TAB Encryption

Encryption.png

I look forward to your welcome reply.

Gaetano

0 Kudos
PhoneBoy
Admin
Admin

It was in the first screenshot at the bottom.
Now let's double check the local encryption domain.
Hopefully it looks something like:

image.png

There should also be a rule in Access Policy > Firewall > Policy > Incoming, Internal and VPN traffic permitting the relevant traffic, possibly with the option "Match only for encrypted traffic" enabled. 

0 Kudos
Gaetano_Nicosia
Participant

Hello,

Thank You for reply.

I have solved setting "Define local network topology manually" and adding the requested subnet.

After I have create the proper rules in "Access Policy > Firewall > Policy > Incoming, Internal and VPN traffic".

Please can you explain me what is the purpose of the option "Match only for encrypted traffic"?

Thank You and Best regards.

Gaetano

PhoneBoy
Admin
Admin

That option means the rule would apply only if the traffic went over a VPN connection.

Gaetano_Nicosia
Participant

Thank You

0 Kudos