Re: Mulitple 5 site vpn design P2P and mesh and c...

gajendra229 · ‎2023-05-12

E & B is directly connected vpn

++ E & B need to be directly through P2P vpn

++ D & C need to be directly through P2P vpn

Blason_R · ‎2023-05-13

This forum is not for suggestion on designing the networks and extend help in designing the same but we can help you on technical issues if any. However to give you a hint you can use route based tunnels.

Or best way opt for DMVPN with other devices; this would not be possible with policy based tunnels.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

gajendra229 · ‎2023-05-13

Thanks, Blason for replying,

Sorry if i said need help to design....

I already have this design just trying to understand how do i can achieve this configuration.

Route based tunnels any url where i can learn and configure according to it on checkpoint R80.40?

as i configured vpn domain based tunnel only never configured route-based tunnel.

Does this route-based tunnel require, Routing team to do something differently? mean i need to inform something to configure accroding to configuration in checkpoint?

gajendra229 · ‎2023-05-12

++ E & B need to directly connect to each other through direct tunnel

++ D & A need to directly connect to each other through direct tunnel

How this can be achieved ?

the_rock · ‎2023-05-13

As @Blason_R said...route based tunnels.

gajendra229 · ‎2023-05-13

I got that but didn't understand the concept of creating between this many tunnels per my design , what should be the approach

the_rock · ‎2023-05-13

Below is good reference, but I also pasted some notes I took for myself. I would send you the good doc I have, but it contains private customer info, so cant do that, sorry

Andy

https://support.checkpoint.com/results/sk/sk100726

Some notes I gathered:

Steps for route based azure vpn tunnel:

Star community

Get all the settings from config file on Azure side

Pick any Ips from 169.254.0.0/24 subnet NOT in use with current tunnels for VTIs/remote address

Say:

169.254.0.200, 201 and 202 (master, backup and VIP) and then .203 for remote address (which is also used as DG for subnet on the other side)

Once this is configured, get interfaces without TOPOLOGY

*DO NOT PUSH POLICY YET*

Save changes in dashboard, then add peer external IP to exempt anti spoof group for external interface

Then also add route to external peer IP using actual Internet default DG

MAKE SURE PEER NAME (in VTI settings in web UI) MATCHES WITH INTEROPERABLE OBJECT in dashboard

Create appropriate rule using VPN community (bi-directional match) (internal clear to 3rd party tunnel, 3rd party to 3 rd party, 3rd party to internal clear in vpn column)

Push policy and test

gajendra229 · ‎2023-05-13

Thanks for sharing that any reference doc that can help to build multiple tunnels under same management server

I have 5 gateway, per my design I don't understand how many tunnel have to build

thinking to create 3 route based tunnels as if create domain based it will give an error while pushing policy on firewall

The pair of objects <FW A and FW b> appear simultaneously in the Intranet Communities:

not sure if i can achieve thinks with below 3 tunnels

ABC - mesh
A center gateway, E,D,C satellite gateway - bidirectional flow
C center gateway D,B,E satellite gateway

the_rock · ‎2023-05-13

I would contact TAC for faster resolution.

Are you a member of CheckMates?

Mulitple site vpn design P2P