This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Antonio_M
Participant
‎2019-10-22 11:41 AM
Jump to solution

Route-based VPN on virtual Systems

Hi,

 

Can we create route-based VPNs on virtual systems? If so, he configuration should be done under the tenant VSX?

Regards.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-10-22 08:51 PM
Jump to solution

Route-Based VPNs require VTIs, which are not currently supported on VSX.

View solution in original post

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2019-10-22 08:51 PM
Jump to solution

Route-Based VPNs require VTIs, which are not currently supported on VSX.
0 Kudos
Antonio_M
Participant
‎2019-10-23 12:20 AM
In response to PhoneBoy
Jump to solution

Thank you PhoneBoy!

0 Kudos
Sanjay_S
Advisor
‎2020-10-05 02:49 AM
In response to Antonio_M
Jump to solution

Hi PhoneBoy,

Does VSX support the VTIs now? I mean can we configure the Route Based VPNs in VSX now?

In case if we need to setup a VPN between AWS or Azure in Virtual System how can we configure it?

Any suggestions? Thanks in advance.

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2020-10-05 06:49 AM
In response to Sanjay_S
Jump to solution

R81 will support this for VSX when released.

CCSM R77/R80/ELITE
0 Kudos
Paul_Hagyard
Advisor
‎2022-06-08 09:17 PM
In response to Sanjay_S
Jump to solution

sk113840 - How to configure IPsec VPN (non-VTI) tunnel between Check Point Security Gateway and Amazon Web Services VPC using static routes says:

This article describes how to create a single VPN connection between Check Point and Amazon Web Services and is intended to be used in instances where VTIs are not permitted, such as the 61000 platform or VSX.

Keep in mind that VTI is important for redundancy and flexibility with AWS hosting. As the 61000 platform and VSX do not support VTIs, a single working tunnel can be created using this method, but is not a recommended configuration. Two separate tunnels will need to be created to Amazon Web Services, and any failover between the two tunnels must be done manually.

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-06-08 11:01 PM
In response to Paul_Hagyard
Jump to solution

Hi Paul,

This limitation for VSX was addressed starting R81 per sk79700.

 

CCSM R77/R80/ELITE
0 Kudos
Paul_Hagyard
Advisor
‎2022-06-09 12:24 AM
In response to Chris_Atkinson
Jump to solution

Hi Chris,

I'm aware that it's resolved in R81, I was replying to  Sanjay_S who was asking how to configure AWS VPN connectivity on older versions of VSX without support for VTIs - in case someone else had the same question.

Paul

0 Kudos
Paul_Hagyard
Advisor
‎2022-08-07 07:02 PM
In response to Paul_Hagyard
Jump to solution

Except that with further investigation:

  1. The vsx_provisioning_tool command for adding a VTI does not appear to support setting the MTU which is vastly preferable to trying to configure VPN MSS clamping.
  2. There's no mechanism for routes on VSX to use ping tracking. Which means resilient connectivity to AWS would require BGP.

All the more reason to avoid deploying VSX!

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-08-07 09:18 PM
In response to Paul_Hagyard
Jump to solution

AWS recommends BGP for the VPN where available.

MSS clamping works just fine, architecturally it probably has fewer draw backs if your VS is dedicated to the VPN i.e.

Set fw_clamp_vpn_mss=1 to $FWDIR/boot/modules/fwkern.conf
Set sim_clamp_vpn_mss=1 to $PPKDIR/conf/simkern.conf (new file)
Set mss_value to 13XX for <TRANSIT_IF_NAME> in guidbedit for VS
Set MTU to 14XX on <TRANSIT_IF_NAME> for VS in SmartConsole

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events