This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
FXB
Contributor
‎2019-03-13 06:43 AM

VPN Routing on SMB Appliance with domain-based VPN

Hi folks,

we are trying to set up a VPN connection to a service provider of our company currently. 

Since that company is not able/does not want to define VTIs on their Sophos XG, we need to set up a "classic" VPN Tunnel via Domain-based routing.

The endpoint on our side is a dedicated 1450 checkpoint SMB appliance, running on R77.20.85 and is used just for VPN termination with only IPSec VPN Blade enabled.

We configured the interoperable device with the encryption domain as well as the VPN community. The Tunnel is up and working, SAs are available on both sides and looking at the VPN monitoring on the WebGUI of the 1450 it also shows the Tunnel up.

However when we try to access resources in the encryption domain , we see that the packets do not get routed into the tunnel/community but rather exits the default route to Internet where it gets dropped of course.

With our openserver checkpoint running on R80.10 we never had the problems, that the gateway is not routing the packets into the tunnel when we defined such a VPN tunnel.

Is there something we need to consider/change when setting up a VPN connections with the SMB Appliances?

Any help is appreciated.

Regards,

0 Kudos
6 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-03-13 08:25 AM

I would suggest to put this in the SMB Appliances and SMP corner...

Please look in VPN Site-to-Site with 3rd party

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Jerry
Mentor
Mentor
‎2019-03-13 08:56 AM

$FWDIR/lib/crypt.def  ?

Jerry
0 Kudos
Jerry
Mentor
Mentor
‎2019-03-13 08:57 AM

--sk86582--
Jerry
0 Kudos
FXB
Contributor
‎2019-03-14 03:15 AM

@G_W_Albrecht your right, i should have posted it in that section, i cant move the post after the creating as it seems (or i dont find the option) unfortunately.

@Jerry Thanks for providing the SK. Unfortunately from what i read so far it describes how to exlude specific subnets from VPN routing. Our problem is that they dont get included in VPN routing in the first place.

I am go ahead and have a look at the article @G_W_Albrecht posted if there is sth useful for us.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-14 09:23 PM
In response to FXB

Only admins can move posts. I've taken care of it.
0 Kudos
HristoGrigorov
Mentor
Mentor
‎2019-03-14 11:18 PM
In response to PhoneBoy

Locally or centrally managed appliance? Either way make sure the relevant rule is set to encrypt in the proper community.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events