Create a Post
Showing results for 
Search instead for 
Did you mean: 

Route Based VPN - Configuration

Hello Checkmates, 

I am  implementing a hub and spoke topology using Checkpoint devices across our MPLS. All spoke checkpoint devices will be configured to route to the internet via the Hub Checkpoint. 

I am trying to setup Route based VPNs and I need some clarifications on the following. 

First is VTI supposed to work like GRE tunnels (we define tunnel local IPs, tunnel source and tunnel destination)? since it also allows routing protocols through IPSec tunnels.  

2. Remote Address under the VTI - Is this suppose to be  the public IP of the peer gateway's external interface  or the local Private IP on the VTI of peer gateway.  Image below from checkpoint support center shows local ( and remote ( I was thinking they have to be on the same subnet for reachability  (local and remote   

img 3.PNG

3. For OSPF routing  I am using the GUI configuration - Do I have to select the VTI as part of the ospf interfaces for it form neighborship with the peer? I have selected all active LAN interfaces on the Checkpoint devices and I plan to use ospf default information originate to pass default route from Hub to Spoke devices. 


Thank you in anticipation. 


0 Kudos
1 Reply

VTI is similar to GRE in that traffic routed through the interface is encrypted.
The difference with VTI is that the encapsulation is IPSEC.
VTI interfaces are "point to point" and do not have to be on the same subnet.
The VTI IP addresses are private.
If you want OSPF to communicate routes over the VTI interface to the peer at the other end, it must be enabled on both ends of the VTI interface.
0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events