Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dede79
Contributor

VPN route all traffic - exclusion?

Hello,

I need to switch existing WAN sites VPNs to also route internet traffic to the central site (central breakout over central dedicated CP cluster). Is it possible to exclude several networks NOT to be send into the 0.0.0.0 VPN? Enabling that option even makes it impossible to ping the local ISP router or do any troubleshooting.

We also have MPLS networks connected to the gateways - so even for that we need to exclude those networks from the route all traffic VPN.

Thanks

 

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

It sounds like you’re trying to do a route all traffic with a Domain-Based VPN and a 0.0.0.0/0 Encryption Domain.
Pretty sure you can only do “exclusions” with a Route-Based VPN.
This uses VTI interfaces and only traffic explicitly routed to that interface goes through the VPN.

0 Kudos
dede79
Contributor

Yes, Domain-Based VPN and a 0.0.0.0/0 Encryption Domain.

VTIs are not an option since we user VPN redundancy with linkselection and MEP.

I hoped that there is an option linke user.def file  to exclude networks from the 0.0.0.0 .....

I also tried with network-range objects representing the public IP ranges - works.

But using that we had a strange bahavior:

Design:    SiteGW -> VPN -> GW cental site - routing - GW-Primeter -> VPN -> SMB

Perimeter GW claims that IP of SMB gateway is in encdom of "GW central site" and for that reason it drops the tunnel to it.

This also happens if the SMB device is managed by a different CMA (defined as externally managed /interop).

This is why I hope theat with an rout all traffic VPN we might get rid of this behavior.

0 Kudos
PhoneBoy
Admin
Admin

0 Kudos
dede79
Contributor

WOW !Neither the responsible Checkpoint SEs not 2 SRs were able to give me that hint!

I'll try this in lab today - VPN routing all traffic and the subnet exclusion.

Thanks so far!

I'll post the solution if tested.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events