This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
D_W
Advisor
‎2022-02-15 12:37 PM
Jump to solution

VPN Routes not visible in Gaia

Hello Mates,

have here a R81.10 T22 with a S2S VPN to 3rd Party but I cannot see the route to the target encryption domain in the route table of the OS or in Gaia. The VPN works fine though.

Is this by design or do I miss an option?

 

Regards

David

0 Kudos
1 Solution

Accepted Solutions
Timothy_Hall
Legend Legend
Legend
‎2022-02-16 06:24 AM
In response to D_W
Jump to solution

You can't redistribute that directly since routes in the vpn_routing table are not "real" routes that exist in the Gaia OS that OSPF can see.

If you are using at least R81, check out NAT Pools which should allow redistribution.  Here is the relevant page from my Gaia 3.10 Immersion self-guided video series:

natpools2.png

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

9 Replies
mk1
Collaborator
‎2022-02-16 12:40 AM
Jump to solution

Is this a route based or policy based VPN?

0 Kudos
D_W
Advisor
‎2022-02-16 03:15 AM
In response to mk1
Jump to solution

We define in the VPN communities the encryption domains for each site so i guess it's domain based.
I haven't found a quick answer about the difference of each types (route based, policy based, domain based) 😅

0 Kudos
mk1
Collaborator
‎2022-02-16 04:38 AM
In response to D_W
Jump to solution

Then you will not find them in the routing table. You can try with the following command in the Expert mode:

fw tab -f -t vpn_routing -u

D_W
Advisor
‎2022-02-16 04:59 AM
In response to mk1
Jump to solution

ah yes there i see it...
Any ideas how i can use this route now to redistribute it via OSPF?
I mean it works when I manually add an static-route for the neeeded route and add it to a route-map but this is an equal ugly solution as the output from "fw tab -f -t vpn_routing -u" 😥

0 Kudos
mk1
Collaborator
‎2022-02-16 05:18 AM
In response to D_W
Jump to solution

In my opinion, after you need dynamic routing the best way would be to convert to route based VPNs. As you said, it's not possible to advertise a route which doesn't exist in your routing table. The other option is the proposed from you, to add static route pointing to your gateway through the proper outgoing interface for instance and then advertise it via OSPF.

0 Kudos
D_W
Advisor
‎2022-02-16 06:22 AM
In response to mk1
Jump to solution

I checked now the situation on another CP Gateway (r80.40) where we have other domain based VPNs and there I see the kernel Routes. BUT only the routes from the star communities.


Tried now to reconfigure my Mesh-Community to Star to check if the Routes will show up but no 😞

0 Kudos
_Val_
Admin
Admin
‎2022-02-16 05:30 AM
In response to D_W
Jump to solution

Those are not OS system level routes, those are VPN routes.

Timothy_Hall
Legend Legend
Legend
‎2022-02-16 06:24 AM
In response to D_W
Jump to solution

You can't redistribute that directly since routes in the vpn_routing table are not "real" routes that exist in the Gaia OS that OSPF can see.

If you are using at least R81, check out NAT Pools which should allow redistribution.  Here is the relevant page from my Gaia 3.10 Immersion self-guided video series:

natpools2.png

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
D_W
Advisor
‎2022-02-18 02:30 AM
In response to Timothy_Hall
Jump to solution

Cool! Thanks I can work with that handy solution!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events