This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AmitS
Participant
‎2022-12-14 11:08 AM

Site to Site VPN between two checkpoint gateway with CMS

Hi Guys,

I have 2 locations Site A and Site B, both are having Checkpoint gateway which is managed by CMS located at SiteA. 
Site A has 2 ISP links: ISP-1 and ISP-2, we are using ISP-2 for S2S vpn.

we want to create a s2s vpn between site A and site B.

Issue is when we push this VPN config on Site-B firewall then the policy install is stuck at 50% and we loose access of Site-B firewall.

So we perform unloadlocal, remove this VPN config for these two sites and push the policy and is successful.

Due to this issue we are not able to create a s2s vpn between these two sites.

Can anyone help me with a solution to overcome this?

Quantum Force (Security Gateways) 

 

 

Quantum Force (Security Gateways)
Quantum Force (Security Gateways)
Security Platforms & Management
0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2022-12-14 11:45 AM

I suspect this is related to the other issue you posted about: https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-not-sending-logs-to-sms-over-w...
Fix that and you’ll probably fix this issue.

Also, if you’re using multiple ISPs and using a specific one for the VPN, you may need to configure Link Selection to ensure the correct IP on the correct link is used to establish the VPN.

0 Kudos
AmitS
Participant
‎2023-01-02 11:02 PM
In response to PhoneBoy

Logging issue is resolved after reworking on NAT rules. But this issue is still not resolved. 

Attaching reference architecture diagram. All firewall is Checkpoint managed from Central Location-A with Central CMS.

S2S VPN is established via ISP-2 on Central Location. Each spoke location has single ISP Link.

 

Preview file
43 KB
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-12-14 12:45 PM

@PhoneBoy is correct...when using ISP redundancy, you would most likely need to change link selection in this case to reflect correct external IP address presented.

Best,
Andy
0 Kudos
AmitS
Participant
‎2022-12-14 11:13 PM
In response to the_rock

Link selection is already configured with ISP-2 at site A.

Both the issues are different.

0 Kudos
AmitS
Participant
‎2023-01-03 04:08 AM
In response to AmitS

If I want to exclude Control connections from VPN then what all services do I need to exclude including FW1, CPMi?

I think this might help in preventing the spoke to get isolated.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-03 05:58 AM
In response to AmitS

Control Connections are already excluded from VPN.

AmitS
Participant
‎2023-01-03 07:24 AM
In response to PhoneBoy

Can anyone suggest me a solution as to how can I achieve this Hub and spoke architecture where spoke gateways are managed from public and sms is central.

I am stuck with this since last 15days. 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-03 07:58 AM
In response to AmitS

You're using ISP-2 for the VPN, yet using ISP-1 for the management traffic, correct?
That is probably what is causing your issue here since this is likely creating an asymmetric routing condition.
You should use the same ISP for both VPN and management traffic and your management NAT address should reflect this.
If you need to use a different ISP to manage different gateways, then you may need to put in some manual rules in place.
In any case, I recommend a TAC case to further assist you with this issue.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-01-03 06:00 AM
In response to AmitS

Phoneboy is right, its already excluded by default.

Best,
Andy
0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2023-01-03 10:51 AM

First and foremost if you are building a tunnel managed by same SMS then it will be a certificate based tunnel and certificates will be catered by mangement server. Now since peer IP happens to be (if) policy push or SIC IP then it would never happen. The Policy push will never happen through S2S tunnel due to implied rules and implied rules does not have VPN setting. In this case either you can disable Remote Control connections and and try building a manual rules for SIC/Policy push or NAT the Management server behind other IP which is not a VPN IP.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events