This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Raj_Khatri
Advisor
‎2021-12-14 07:07 AM

Route-based VPN with 3rd Party - static routing

We currently have a site-to-site VPN with a 3rd party using a route-based VPN.  The 3rd party has a new infrastructure that we need to migrate to but need proper testing before cutover.  A VPN tunnel has been setup and up on the new infrastructure. 

We have a 2 test nodes that are part of the same remote network but traffic is going over the main VPN tunnel.  How can we force the /32 to take the new VPN tunnel as traffic is still going via the production tunnel?

STATIC ROUTES
10.100.1.0/24 GW vpnt1
10.100.1.50/32 GW vpnt2
10.100.1.51/32 GW vpnt2

VPN.jpg

Labels
0 Kudos
2 Replies
AaronCP
Advisor
‎2021-12-18 01:23 PM

It sounds like you could be hitting a supernetting issue. Even though you've specified the two/32 hosts to use a separate VTI, Check Point is supernetting the traffic to the larger /24 network, and using the original VTI.

 

Take a look at SK108600 - Scenario 1. It details how to disable supernetting per VPN community from R80.20, as well as how to define subnets for a specific peer gateway in the user.def file.

 

If that doesn't help, could you NAT those two hosts and attached the NATd address to the VTI?

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2021-12-19 07:05 AM
In response to AaronCP

It shouldn't be a supernetting thing. That only affects the IDs in the phase 2 negotiation, and route-based VPNs on Check Point always negotiate 0.0.0.0/0 for both sides.

With working VTIs, the static routes as described in the original post should work exactly as desired. This makes me think the tunnel to the new endpoint isn't working, or the tunnel to the old endpoint isn't actually using the VTI.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events