This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Albin_Petersson
Contributor
‎2023-07-18 09:35 AM
Jump to solution

Site2Site-VPN not working with VLANS/additional IP-nets?

Helloes.

 

Unsure what the problem is here, and I'm not that good at checkpoint VPN:s.

We have a 7000 gateway at our main site and some time ago we bought a smaller spark 1570 gateway for a remote location. We set up a S2S-VPN between these with 1 network on the remote site, and that seems to work fine. The network is added to LAN1 directly (and the tunnel runs over WAN)

Now i wanted to add 2 more networks to the remote site. We installed a switch, added a trunk between the 1570 and the switch, made VLAN interfaces on LAN2 (LAN2.1365 etc) with 2 VLAN:s. One VLAN has an SVI in the switch that I can ping from the 1570, the other doesn't but it has a camera attached that I can ping. So that part seems to be working as it should. But I cannot get traffic to use the S2S-VPN for these 2 VLAN-networks.

If I do traceroute from my office-PC to the 1st network, i can see that it uses the tunnel and i can also see in the CP logs that it is encrypting traffic etc.

If I do traceroute to network 2 or 3, I can see that the traffic goes out on the default GW and is not tunneled. There's no encryption in the checkpoint logs.

Looking at the remote GW-object in SmartConsole, the 3 networks show up as they should and are configured the same, just different IP:s.

the VPN object has the setting that VPN domain is all IP:s behind GW based on topology.

How do I troubleshoot this? Is it not possible to use VLAN:s?

0 Kudos
1 Solution

Accepted Solutions
Albin_Petersson
Contributor
‎2023-07-18 09:51 PM
In response to Albin_Petersson
Jump to solution

hmm, I think I figured it out now. The ideas I had on how to add these new networks to the policies was wrong. It was never a problem with the VPN tunnel per se. I used the "remote" networks in the local GW:s policies, but that doesn't work apparently. 

 

It's a bit confusing that it didn't work, but at least now the access works so that's all that matters.

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-07-18 01:56 PM
Jump to solution

Did you change the Encryption Domain associated with the SMB device to include the new VLANs AND push policy to all relevant gateways?

0 Kudos
Albin_Petersson
Contributor
‎2023-07-18 09:37 PM
In response to PhoneBoy
Jump to solution

well, the VPN domain is the same thing as encryption domain right? If it is set to use all IP:s behind the SMB device then shouldn't they update automatically?

I've pushed the policy to both gateways.

 

I tried to make a network group object now with the networks included and use that as VPN domain instead, but there's no difference.

0 Kudos
Albin_Petersson
Contributor
‎2023-07-18 09:51 PM
In response to Albin_Petersson
Jump to solution

hmm, I think I figured it out now. The ideas I had on how to add these new networks to the policies was wrong. It was never a problem with the VPN tunnel per se. I used the "remote" networks in the local GW:s policies, but that doesn't work apparently. 

 

It's a bit confusing that it didn't work, but at least now the access works so that's all that matters.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events