This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
aMatthew
Contributor
‎2024-05-30 12:09 PM

VPN SITE TO SITE CHECKPOINT VSX ROUTE BASED

Hello everyone,
I will preface that I have been working with checkpoint technology for a short time and your input is valuable to me.

I need to set up a site to site VPN with Cisco secure access.

In the guide that was shared with us, it talks about creating VTI and policy based routing on Gaia portal.

Unfortunately, we do not have access to Gaia portal as our gateways are VSX. So the whole thing is to be done through CLI.

Referring to the guide (screenshots attached), could you kindly refer me what commands need to be run? I would be really happy if you could give me an example of the commands maybe using the IPs in the guide.

Thank you for your support.

Preview file
255 KB
Preview file
618 KB
0 Kudos
5 Replies
Duane_Toler
Advisor
‎2024-05-30 04:11 PM

You need vsx_provisioning_tool for VTIs on VSX:

vsx_provisioning_tool -L -o add interface vd VS1 vpn_tunnel numbered peer SmartConsole_interoperable_peer local 169.254.68.238 remote 169.254.68.237 tunnel_id 99

 

Replace VS1 with the name of your firewall Virtual System.

Replace "SmartConsole_interoperable_peer" with the name of the Interoperable Device in SmartConsole for this VPN peer.

This will create vpnt99  for your VS.  After this, you should be using Route Based VPN with empty group objects as the VPN domain for the remote peer and your VS.  You can override VPN domain for the peers within the VPN Community, rather than modifying the main VPN domain on the VS object.

You will also need to add static routes across the VTI for whatever remote end host they gave you.   You add static routes in SmartConsole for the firewall VS.  These are in the VS properties -> select Network Management on the left, and you'll see the where to add static routes.  Use the remote peer IP in the VTI as the next-hop gateway for the route (169.254.68.237 in this case).

 

You can replace those 169.254.x.y IPs in the VTI command above, but be sure you ONLY use IPs in the 169.254.x.y range!  Don't try to use any 10.x or 192.168.x.x addresses; these are unnecessary.  A VTI is a virtual point-to-point interface; the IPs really don't matter, and they don't even have to be remotely similar.  For a point-to-point interface, no matter what packet you "write" to that pseudo-wire, it will be sent.  So use the APIPA address space; that's what it's for, link-local addressing.

FYI: If you have Multi-Domain management, then you first need to switch to the Target domain where the VS is created before running the above command:

mdsenv TARGET_DOMAIN



0 Kudos
aMatthew
Contributor
‎2024-05-31 03:29 AM
In response to Duane_Toler

Hi Duane,

Thank you first of all for your valuable help.
I ran the command as you indicated, however I got this as a response:

Version R81_10_jumbo_hf_main, build xxxxxxx
Session not established
Failed to connect with server 127.0.0.1

what is the reason for this error?

0 Kudos
Duane_Toler
Advisor
‎2024-05-31 05:24 AM
In response to aMatthew

Did you run this on the gateway or the management server?

 

0 Kudos
aMatthew
Contributor
‎2024-05-31 06:18 AM
In response to Duane_Toler

on the security gateway

0 Kudos
Duane_Toler
Advisor
‎2024-05-31 07:26 AM
In response to aMatthew

The VSX provisioning tool is only run on the Management server.  If you have a Multi-Domain management, then you need to run it in the context of the domain where the VS lives.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events