Solved: Re: Route Base VPN with Cisco

Exonix · ‎2023-09-08

Hello everyone,

please tell me if i'm on the right way. I saw some videos and tutorials, but they all are for a clustered connection.

On our side with have CP R80.40, remote side has a Cisco Router. They want Route Based VPN. What I will do:

1. create VTI in GAIA:

2. create Interoperable Device with Cisco Public IP

3. Create VPN-Community with empty encryption Domain (a VPN-community likewise for policy/domain Based VPN)

4. add static Route: remote network behind VTI

5. something else?

Thank you in advance!

Exonix · ‎2023-09-18

Unfortunately we didn't manage to make work GRE over IPsec on the CP R80.40. We have temporarily installed another server until we upgrade CP to R81

View solution in original post

the_rock · ‎2023-09-08

MAKE SURE remote address is one used as default gateway for static route to remote site.

Check out this post

Andy

Its cluster, but you get an idea, if you need help, we can do remote after hours

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-failover-issue/m-p/155553#M265...

RS_Daniel · ‎2023-09-08

Hello,

The "peer" parameter is NOT the public ip address of the peer. It is the name of the object you created on smartconsole for cisco device. So you should switch steps 1 and 2. Also the static routes should use as next hope the vti interface and not ip address as next hop. I have had some issues using IP address instead of interface.

One missing step (should be number 3 on your example) is get interfaces on your R80.40 gateway object on smartconsole, it is not possible to create a VTI interface manully, it must be fetched by a get interfaces, i would use get interfaces without topology option.

And of course you must have rules that allow the traffic. I think that is all.

Regards

the_rock · ‎2023-09-08

Yes, very true about the peer, totally missed that part, it is indeed a NAME of interoperable object.

Andy

Exonix · ‎2023-09-11

Thanks for suggestions. One more question: get Interface - with or without Topology?

If I choose with - it changes all interfaces... I'm getting more 100 changes in total.

If I choose without - it also changes all interfaces, I'm getting ~26 changes (because I have ~26 interfaces) even I don't see any in the SmartConsole. To be honest, I have no desire to change any productive interfaces... What to do?

the_rock · ‎2023-09-11

I never do with topology, always without...if you do with topology option, it will reset everything to default.

Andy

RS_Daniel · ‎2023-09-11

Hello,

I would use get interfaces without topology. I understand what you say, it happens to me every time i create a new route based vpn. I am not sure why those changes appear, but it always happened every time i created a new vti, and the configuration never changed, so you could safely publish. If you want to be sure, you can check your previous configuration with Policy Installation History feature, it will open a new smartconsole in read only mode with the policy you had before doing the fetch, and you will be able to compare the interfaces configuration.

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SecurityManagement_AdminGuid...

Regards

Exonix · ‎2023-09-11

Thanks RS_Daniel, thanks the_rock

The SmartView schows me the Tunnel is UP, but in the Logs I see all GRE traffic is rejected. I don't remeber any documentation tells to allow some traffic... Should I?

RS_Daniel · ‎2023-09-11

Hello,

Is this a GRE tunnel? XD that would have been a good piece of information at the beginning jaja. GRE is supported starting in R81. From sk92845:

Generic Routing Encapsulation (GRE) Tunnels are not supported on Gaia OS running versions lower than R81.

Starting from R81, GRE Tunnels are supported.

Note: This is relevant to CloudGuard, as well as in physical appliances.

For R81 or newer versions:

https://support.checkpoint.com/results/sk/sk169794

Regards

Exonix · ‎2023-09-12

hi RS_Daniel,

yes, I've just got new info this is GRE over IPsec.

Offtopic - do we always need GRE-Interface for GRE-Tunnel?

Exonix · ‎2023-09-12

I found an article that CP supported GRE over IPsec even in 2011. I undersand, that it is different CP, but still... Can we configure GRE over IPsec?

GRE over IPsec - Checkpoint 572

the_rock · ‎2023-09-12

Im prrtty sure its still supported, as per below.

Andy

https://support.checkpoint.com/results/sk/sk169794

Exonix · ‎2023-09-13

Hello the_rock,

I'm sorry, but your link is about GRE Tunnel, which is not supported in R80.... It was already sent by RS_Daniel

the_rock · ‎2023-09-13

Right, but Im fairly sure its still supported.

Andy

Exonix · ‎2023-09-18

Unfortunately we didn't manage to make work GRE over IPsec on the CP R80.40. We have temporarily installed another server until we upgrade CP to R81

the_rock · ‎2023-09-18

Faitr enough. You may as well go with R81.20, as its recommended and super stable.

Andy

Are you a member of CheckMates?

Route Base VPN with Cisco