- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- VPN Routing
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN Routing
Hi Guys,
i got stuck with configuration a inter-site VPN routing. I have CheckPoint in the center and some Cisco devices in the branch offices. All pairs VPNs between CP and Cisco work fine, but i cannot reach Cisco 2 from Cisco 1. I turned on VPN Routing in Community - "To center and other satellites", encryption domains for Cisco-s ANY (it mean, send all traffic to center). Simple rule, like - "Cisco 1 to Cisco 2 -Any - Any - Accept" created.
Maybe i missed something?
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sergo89,
The only case when I had this type of traffic working well was when all peers were managed within the same CMA (currently using MDM with several CMA). Even if I read it is working perfectly... but I had to edit the vpn_route.conf and I didn't want to do it.
So, what I would suggest is to define several communuties and define the vpn domain for the central peer at the community level and not at the GW level. In your case with 2 Cisco peer, you will have 2 domains.
I have never tested but if it can help.
Rgds,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks BikeMan, yeah i want to play with vpn_route.conf today. Yes i have two communities, one IKEv2 and another v1, bunch of tunnels sitting in v1. Regarding VPN domains, yes i did (i guess i did it properly), Net1 sitting behind Cisco1 and Net2 behind Cisco2, core/hub Checkpoint has Net3.
it looks right for me
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
From CheckPoint side it should work with the config you describe. Search on the logs with src and dst IP, if you see "vpn routing" on the action column, it is working. Check that cisco 1 networks are added on the interesting traffic configuration on cisco 2 and vice versa. It usually takes a couple minutes when you change that live, if you need inmediate verification, restart the vpn.
Regards
