I am implementing a hub and spoke topology using Checkpoint devices across our MPLS. All spoke checkpoint devices will be configured to route to the internet via the Hub Checkpoint.
I am trying to setup Route based VPNs and I need some clarifications on the following.
First is VTI supposed to work like GRE tunnels (we define tunnel local IPs, tunnel source and tunnel destination)? since it also allows routing protocols through IPSec tunnels.
2. Remote Address under the VTI - Is this suppose to be the public IP of the peer gateway's external interface or the local Private IP on the VTI of peer gateway. Image below from checkpoint support center shows local (10.10.10.10) and remote (220.127.116.11). I was thinking they have to be on the same subnet for reachability (local 10.10.10.10 and remote 10.10.10.11)
3. For OSPF routing I am using the GUI configuration - Do I have to select the VTI as part of the ospf interfaces for it form neighborship with the peer? I have selected all active LAN interfaces on the Checkpoint devices and I plan to use ospf default information originate to pass default route from Hub to Spoke devices.
Thank you in anticipation.