Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
gajendra229
Explorer

Mulitple site vpn design P2P

E & B is directly connected vpnE & B is directly connected vpn

++ E & B need to be directly through P2P vpn

++ D & C need to be directly through P2P vpn

0 Kudos
8 Replies
Blason_R
Leader
Leader

Hi @gajendra229 

This forum is not for suggestion on designing the networks and extend help in designing the same but we can help you on technical issues if any. However to give you a hint you can use route based tunnels.

Or best way opt for DMVPN with other devices; this would not be possible with policy based tunnels. 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
gajendra229
Explorer

Thanks, Blason for replying,

Sorry if i said need help to design....

I already have this design just trying to understand how do i can achieve this configuration.

Route based tunnels any url where i can learn and configure according to it on checkpoint R80.40?

as i configured vpn domain based tunnel only never configured route-based tunnel.

Does this route-based tunnel require, Routing team to do something differently? mean i need to inform something to configure accroding to configuration in checkpoint?

0 Kudos
gajendra229
Explorer

Capture1.JPG

 

++ E & B need to directly connect to each other through direct tunnel

++ D & A need to directly connect to each other through direct tunnel

How this can be achieved ?

0 Kudos
the_rock
Legend
Legend

As @Blason_R said...route based tunnels.

0 Kudos
gajendra229
Explorer

I got that but didn't understand the concept of creating between this many tunnels per my design , what should be the approach

0 Kudos
the_rock
Legend
Legend

Below is good reference, but I also pasted some notes I took for myself. I would send you the good doc I have, but it contains private customer info, so cant do that, sorry

Andy

https://support.checkpoint.com/results/sk/sk100726

Some notes I gathered:

Steps for route based azure vpn tunnel:

 

Star community

 

Get all the settings from config file on Azure side

 

Pick any Ips from 169.254.0.0/24 subnet NOT in use with current tunnels for VTIs/remote address

 

Say:

 

169.254.0.200, 201 and 202 (master, backup and VIP) and then .203 for remote address (which is also used as DG for subnet on the other side)

 

Once this is configured, get interfaces without TOPOLOGY

 

*DO NOT PUSH POLICY YET*

 

Save changes in dashboard, then add peer external IP to exempt anti spoof group for external interface

 

Then also add route to external peer IP using actual Internet default DG

 

MAKE SURE PEER NAME (in VTI settings in web UI) MATCHES WITH INTEROPERABLE OBJECT in dashboard

 

Create appropriate rule using VPN community (bi-directional match) (internal clear to 3rd party tunnel, 3rd party to 3 rd party, 3rd party to internal clear in vpn column)

 

Push policy and test

 

0 Kudos
gajendra229
Explorer

Thanks for sharing that any reference doc that can help to build multiple tunnels under same management server

I have 5 gateway, per my design I don't understand how many tunnel have to build

thinking to create 3 route based tunnels as if create domain based it will give an error while pushing policy on firewall

The pair of objects <FW A and FW b> appear simultaneously in the Intranet Communities:

 

 

not sure if i can achieve thinks with below 3 tunnels

ABC - mesh
A center gateway, E,D,C satellite gateway - bidirectional flow
C center gateway D,B,E satellite gateway

0 Kudos
the_rock
Legend
Legend

I would contact TAC for faster resolution.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events