Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dhueber
Explorer
Jump to solution

Routing between VPNs

Dear all,

 

I need your advice about a VPN routing challenge we have.

As part of the different VON communities we have, we have the following 2 ones:

 

[Office A - Gaia 80.30]   <------ S2S Meshed VPN Community ------> [Data Center - Gaia 77.30]
[Data Center - Gaia 77.30]  <----- S2S Meshed VPN Community -----> [AWS Cloud]

Now we would like to allow users in the Office A to connect to instances in AWS.
Therefore we would need to route the AWS Network through the 1st community to our Data Center and then through the 2nd one to AWS.

We tried to add a IPv4 static routing in the Checkpoint of the Office A to the IP of the one in our Data Center but the traffic is not routed through the community.

I saw several post talking about editing conf file on the router or using some R80 features but there was so many variant that I'm unsure what we should do. Another solution we think about would be to merge both community in a star one.

 

So any advice on how to get this working is welcome 🙂

Many thanks

1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Hi @dhueber,

Use a star community.

For more granular control over VPN routing, edit the vpn_route.conf file in the $FWDIR/conf/ directory of the Data Center SMS:

[Office A - Gaia 80.30] <-- S2S Star VPN Community ---> [Data Center - Gaia 77.30] <--S2S Star VPN Community---> [AWS Cloud]

Consider a simple VPN routing scenario consisting of Hub and two Spokes. All machines are controlled from the same Security Management Server, and all the Security Gateways are members of the same VPN community. Only Telnet and FTP services are to be encrypted between the Spokes and routed through the Hub:

Alhough this could be done easily by configuring a VPN star community, the same goal can be achieved by editing vpn_route.conf:

Destination                                            Next Hop router interface                     Install on

Spoke [Office A - Gaia 80.30]              Hub [Data Center - Gaia 77.30]             Spoke [AWS Cloud]
Spoke [AWS Cloud]                              Hub [Data Center - Gaia 77.30]             Spoke [Office A - Gaia 80.30]

And enable VPN routiong to center and to other satellites through center (same on R77.30):
star.JPG

PS:
R77.30 is since approximately one year out of support:-)

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

12 Replies
HeikoAnkenbrand
Champion Champion
Champion

Hi @dhueber,

Use a star community.

For more granular control over VPN routing, edit the vpn_route.conf file in the $FWDIR/conf/ directory of the Data Center SMS:

[Office A - Gaia 80.30] <-- S2S Star VPN Community ---> [Data Center - Gaia 77.30] <--S2S Star VPN Community---> [AWS Cloud]

Consider a simple VPN routing scenario consisting of Hub and two Spokes. All machines are controlled from the same Security Management Server, and all the Security Gateways are members of the same VPN community. Only Telnet and FTP services are to be encrypted between the Spokes and routed through the Hub:

Alhough this could be done easily by configuring a VPN star community, the same goal can be achieved by editing vpn_route.conf:

Destination                                            Next Hop router interface                     Install on

Spoke [Office A - Gaia 80.30]              Hub [Data Center - Gaia 77.30]             Spoke [AWS Cloud]
Spoke [AWS Cloud]                              Hub [Data Center - Gaia 77.30]             Spoke [Office A - Gaia 80.30]

And enable VPN routiong to center and to other satellites through center (same on R77.30):
star.JPG

PS:
R77.30 is since approximately one year out of support:-)

 

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
dhueber
Explorer

Hi Heiko, 

thanks for the reply and feedback. This is what we thought.
Won't be the easiest solution to recreate all our VPNs but we will have to go through this process.

Many thanks for taking time to answer

0 Kudos
Wolfgang
Authority
Authority

@dhueber 

migrating to one community with your datacenter as Center and officeA and AWS as satellites would be the best solution.

Then you have to enable VPN routing on the community and everything should work.

In your described environment with two communities you can configure VPN routing via vpn_route.conf file.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
It‘s written for an SmartLSM environment but the solution is the same for you.

Have a look at the documentation Configuration in the VPN Configuration File

Wolfgang

0 Kudos
Wolfgang
Authority
Authority

I see, @HeikoAnkenbrand  sent an answer a little bit earlier then me.

😀

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @Wolfgang,

2 seconds faster 😀.

Best Regards
Heiko

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Wolfgang
Authority
Authority

Congratulations @HeikoAnkenbrand you’re the winner today 😂
And we could help @dhueber with a solution.

Wolfgang

RS_Daniel
Advisor

Hello Heiko/Wolgagn,

I had a similar scenario and hoped you could help with a doubt. Our scenario is the same but instead of [AWS cloud] we have a third party Gateway. So in this case i think vpn_route.conf does not apply because it is not possible to define the third party in the "install on" column of the file. I was wondering how to address this. My first option was to migrate to a star community as you described before, but i am not sure if the option "To center and to other satellites trough center" will work with the third party gateway (i think it won't). So if you have any idea to get the same goal with the third party, it would be appreciated. Thanks in advance.

0 Kudos
Wolfgang
Authority
Authority

@RS_Daniel 

vpn routing with third party gateway via star community will be possible.

Wolfgang

alysiakee
Explorer

Thanks very much for that information.

0 Kudos
nicktran
Explorer

The issue is when you define the vpn_route.conf file, the install_on column must be the gateway object. I define my remote fw which is Fortinet is Interoperable Device. Below is the issue come out when I tried to install the policy. 

reading vpn_route.conf: install on gw object is not a firewall (fortinetfw.fortiddns.com)

Do you know how to sort it out ?

0 Kudos
Ara_Zohrabian
Explorer

Hi, i have the same issue with vpn_route.conf. Did you find a solution?

Thanks

0 Kudos
Ara_Zohrabian
Explorer

Hi, i have the same issue with vpn_route.conf. Did you find a solution.

Thanks

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events