This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HansKazan
Contributor
Contributor
‎2024-04-13 01:52 PM
Jump to solution

Site-to-Site VPN - Star VPN Routing Question

Hello CheckMates

I would like to request some clarification regarding the Star VPN Routing option "To center or through the center to other satellites, to Internet and other VPN targets" (3rd option). When I have the option enabled, it becomes possible for all Center Networks, even the ones not part of the Center-EncDom on the Center Gateway to reach all Satellite EncDom Networks. It will match the ACL and enter the VPN Tunnel, when to my current understanding it is not meant to. Could anyone please clarify as to why this is?

See a small summary of my configuration below, all devices are OpenServers running R81.20 with JHF 53.

 

brrr.png

Center Encryption Domain: 172.16.1.0/24
Satellite Encryption Domain: 192.168.1.0/24
 
Center Hosts
PC-A - 172.16.1.1 (part of Center-EncDom)
PC-C - 10.10.2.10
 
Satellite Host
PC-B - 192.168.1.1 (part of Satellite-EncDom)
 
Ping Result
PC-A -> PC-B reachable, enters VPN-Tunnel
PC-A -> PC-C reachable local site
PC-B -> PC-A reachable, enters VPN-Tunnel
PC-B -> PC-C unreachable
PC-C -> PC-A reachable local site
PC-C -> PC-B reachable, enters VPN-Tunnel (matches ACL, but does not match EncDom)
 
brabra.png

When enabling the 2nd option "To center and to other satellites through center", it works as I intend for it to work. Meaning that PC-C traffic towards PC-B no longer enters the VPN tunnel, gets accepted by the ACL rule and routed into the void. See a ghetto paint version for a topology below.
vrrvrr.png

 
ghettology-lab.png
 
Thank you for any and all comments that would help me better understand the VPN product!
0 Kudos
2 Solutions

Accepted Solutions
the_rock
MVP Platinum
MVP Platinum
‎2024-04-14 04:41 PM
Jump to solution

This is an official explanation of how those settings work.

Andy

 

VPN Routing Options

  • To center only . No VPN routing actually occurs. Only connections between the satellite gateways and central gateway go through the VPN tunnel. Other connections are routed in the normal way

  • To center and to other satellites through center . Use VPN routing for connection between satellites. Every packet passing from a satellite gateway to another satellite gateway is routed through the central gateway. Connection between satellite gateways and gateways that do not belong to the community are routed in the normal way.

  • To center, or through the center to other satellites, to internet and other VPN targets . Use VPN routing for every connection a satellite gateway handles. Packets sent by a satellite gateway pass through the VPN tunnel to the central gateway before being routed to the destination address.

Best,
Andy

View solution in original post

PhoneBoy
Admin
Admin
‎2024-04-15 08:38 AM
Jump to solution

"To center, or through the center to other satellites, to internet and other VPN targets" means route ALL traffic through Center gateways (e.g. Internet-bound traffic or traffic to other VPN gateways).
It's acting as expected.

View solution in original post

4 Replies
the_rock
MVP Platinum
MVP Platinum
‎2024-04-14 04:41 PM
Jump to solution

This is an official explanation of how those settings work.

Andy

 

VPN Routing Options

  • To center only . No VPN routing actually occurs. Only connections between the satellite gateways and central gateway go through the VPN tunnel. Other connections are routed in the normal way

  • To center and to other satellites through center . Use VPN routing for connection between satellites. Every packet passing from a satellite gateway to another satellite gateway is routed through the central gateway. Connection between satellite gateways and gateways that do not belong to the community are routed in the normal way.

  • To center, or through the center to other satellites, to internet and other VPN targets . Use VPN routing for every connection a satellite gateway handles. Packets sent by a satellite gateway pass through the VPN tunnel to the central gateway before being routed to the destination address.

Best,
Andy
HansKazan
Contributor
Contributor
‎2024-04-15 02:16 AM
In response to the_rock
Jump to solution

Thank you for the official explanation. However, PC-C is a part of the Center GW, not defined in the Encryption Domain that is able to reach PC-B, which is a satellite host part of the Satellite Encryption Domain. When I read this original explanation my assumption was that it would be the case that all traffic sent by the satellite gateway would be encrypted, yet it is the Center gateway that initiates this connection. Hence my question.

Am I then to assume that this will then apply for both Center and Satellite connections to be forced to cross that VPN Tunnel when an ACL is matched?

Thank you for your time!

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2024-04-15 12:12 AM
Jump to solution

Then why not stay with the second option ?

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
PhoneBoy
Admin
Admin
‎2024-04-15 08:38 AM
Jump to solution

"To center, or through the center to other satellites, to internet and other VPN targets" means route ALL traffic through Center gateways (e.g. Internet-bound traffic or traffic to other VPN gateways).
It's acting as expected.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events