This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gaetano_Nicosia
Participant
‎2021-08-25 08:44 AM

Routing on VPN

Good Morning,

I need to connect via site-to-site VPN from site A where the CP 730 appliance firewall is installed to site B where a Sophos firewall is installed that I do not manage.

The site-to-site VPN works correctly and is active.

The Requests from clients of site A that may belong to different VLANs (see the table) must be routed to site B.

SITE A (CHECK POINT 730) TO SITE B (SOPHOS)Destination IP Subnet
Source IP Subnet 
192.168.1.0/24 (Site A)172.20.43.0/24 (Site B)
192.168.10.0/24 (Site A)172.20.43.0/24 (Site B)
192.168.201.0/24 (Site A)172.20.43.0/24 (Site B)

Unfortunately I can't route them correctly.

I used Tracert and it seems that they are routed through the Internet instead of through VPN.

Can you help me to solve the problem?

Thanks and Best Regards

Gaetano

0 Kudos
7 Replies
KennyManrique
Advisor
‎2021-08-25 01:04 PM

Hi Gaetano,

I assume you're using Domain based VPN. Could you share with us both encryption domain objects?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-25 01:55 PM
In response to KennyManrique

It’s a 730, which is managed locally.
And the message should have been posted in the SMB space,
But yes, let’s see precisely how you’ve configured the VPN, specifically the remote Encryption Domain.

0 Kudos
Gaetano_Nicosia
Participant
‎2021-08-25 10:38 PM
In response to PhoneBoy

Thank You for reply.

I opened the Firewall GUI and edited the VPN. Please see the picture for the vpn configuration

remotesite.png

In the Advanced tab I don't find the encryption domain, but only in the TAB Remote site.

In Remote Site Encryption domain I have these methods:

  1. Define Remote network topology manually
  2. Route all traffic through this site
  3. Encrypt according to routing table
  4. Hydden behind external IP of the remote gateway

Is the point 1) the correct configuration?

Also this is the configuration in the Advanced TABadvanced.png

And this is the configuration in the TAB Encryption

Encryption.png

I look forward to your welcome reply.

Gaetano

0 Kudos
PhoneBoy
Admin
Admin
‎2021-08-26 09:09 AM
In response to Gaetano_Nicosia

It was in the first screenshot at the bottom.
Now let's double check the local encryption domain.
Hopefully it looks something like:

image.png

There should also be a rule in Access Policy > Firewall > Policy > Incoming, Internal and VPN traffic permitting the relevant traffic, possibly with the option "Match only for encrypted traffic" enabled. 

0 Kudos
Gaetano_Nicosia
Participant
‎2021-08-27 10:58 PM
In response to PhoneBoy

Hello,

Thank You for reply.

I have solved setting "Define local network topology manually" and adding the requested subnet.

After I have create the proper rules in "Access Policy > Firewall > Policy > Incoming, Internal and VPN traffic".

Please can you explain me what is the purpose of the option "Match only for encrypted traffic"?

Thank You and Best regards.

Gaetano

PhoneBoy
Admin
Admin
‎2021-08-28 01:35 AM
In response to Gaetano_Nicosia

That option means the rule would apply only if the traffic went over a VPN connection.

Gaetano_Nicosia
Participant
‎2021-08-28 07:26 AM
In response to PhoneBoy

Thank You

0 Kudos