Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Roy_Smith
Collaborator

Routing between VPNS

Hi

We have 2 domain based S2S vpns to separate 3rd parties. We have no control over the remote VPN gateways, although I know VPN1 is a Fortinet and VPN2 is Azure. Both VPNs are through the same VS on our VSX cluster running R81.10. 

These are 2 separate star community VPNs. There are different encryption domains configured for each gateway in each community. Both VPN tunnels are up and our users can access the servers at both locations.

We now need to route between the 2 VPNS, i.e. servers on VPN1 need to access servers on VPN2 and vice versa. 

As these are domain based, do I need to use vpn_route.conf? How does that work if the remote gateways are not Check Point and I don have access to them?

Or is there another way to route between the 2 VPNs?

Thanks
Roy

0 Kudos
8 Replies
G_W_Albrecht
Legend Legend
Legend

Without access to the remote peers this can not work - first clients behind peer GW have to know that traffic to other remote site is routed to the VPN tunnel. Otherwise this is very easily done if you reduce to one star community and select routing thru center to satellites.

But you can do it otherwise - let the 3rd party peers have a S2S VPN together and you will have to change nothing !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Roy_Smith
Collaborator

I did think setting one community would be the way to do but it does not work. With one community, I have to have the routing set to "To center or through the center to other satellites, to Internet and other VPN targets". If I use "To center and to other satellites through center", I am unable to connect to the remote servers. 

We also are using NAT between the 2 suppliers and ourselves. Does that affect the routing between the 2 VPNs?

 

 

0 Kudos
the_rock
Legend
Legend

I think what Guenther said makes total sense. If you have 1 star community, then you could have say CP gw as center and those other 2 as satellites and have option checked to route to through center and satellites through it. As far as NAT, it should not affect this, as NAT is more so access from both sides works properly.

Andy

0 Kudos
Roy_Smith
Collaborator

I see the traffic coming in from VPN1 and being decrypted. I can see the NAT rules applied correctly but running FW monitor and TCPDump shows the traffic is then forwarded out the Internet connection.It does not get encrypted, so does not go out over the VPN just straight out to the Internet as that is the default route, since the NAT ranges I use for the destinations don't exist in the routing table. The guys at VPN2 do not see the traffic hitting their gateway. 

If vpn_route.conf is not suitable for domain based VPNs, where else can I configure the VPN routing?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

But it is - See in sk104760: ATRG: VPN Core:

VPN Routing - Way of directing communication through a specific VPN tunnel in order to enhance existing connectivity or security. In addition, VPN routing can be used to reduce connectivity costs.

Domain Based VPN - VPN traffic is routed within the VPN community based on the encryption domain behind each Security Gateway in the community. In a Star community, this allows satellite Security Gateways to communicate with each other through central Security Gateways. Configuration for Domain Based VPN is performed directly through SmartDashboard.

Route Based VPN - VPN traffic is routed within the VPN community based on the routing information, static or dynamic, configured on the Operating Systems of the Security Gateways.

SmartDashboard configuration allows routing the traffic between Satellites via the Center and between Satellites and the Internet (route all traffic via the center). "Manual" routing configuration is available via the $FWDIR/conf/vpn_route.conf file on the Security Management Server.

Notes:

VPN Routing is supported only with a Simplified VPN Mode Security Policy.
If both Domain Based VPN and Route Based VPN are configured, then Domain Based VPN will take precedence.
Route Based VPN is not supported with IKEv2.

$FWDIR/conf/vpn_route.conf - configuration file on Security Management Server / Domain Management Server used for granular control over Domain Based VPN routing between Security Gateways.

Notes:

The file format is: Destination, Next hop router, Install on Security Gateway, Force Override (optional field)
Fields must be separated by tabs.
All entries must be objects that exist in the Management database. The names must match object names exactly.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Roy_Smith
Collaborator

But if I don't have access to the remote gateways, which are 3rd party gateways and managed by our suppliers, I do not think vpn_route.conf will work. I have put entries in but it does not make any difference.

Would I require the 3rd parties to included the encryption domains of the other 3rd party in their encryption domains?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

YES - that is clear, encryption domains must be correct on center and all peers. Could be working without NAT in VPN if no overlapping networks exist...

But you can do otherwise - let the 3rd party peers have a S2S VPN together and you will have to change nothing !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
aboo008
Participant

Hey Roy, did you ever found a solution for this. I am in the same boat except that I have control over 1 Peer but not the other. The VPN 1 for us does not include NAT but for VPN 2 it does NAT on our side and this is the Peer I don't have any control to. We tried almost all the things you mentioned in your comments without any luck. 

Hoping there is a solution to this .. I am currently working with TAC but no solution yet. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events