This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AkosBakos
Advisor
Advisor
‎2024-09-19 09:28 AM
Jump to solution

VPN routing and External interfaces

Dear CheckMates

I have a simple cluster with 5+ External interfaces. This cluster has 5+ s2s VPN communities. Depends on the routing the VPN's interoperable devices are behind different external interfaces. The essence of this, this cluster has more than 5 External interfaces.
The VPNs work fine.

Until today.

I created a s2s VPN as before.

Short description:

A_GW -> my_VPN_GW
B_VPN_peer -> peerGW
B_int -> peer interoperable device
B_enc -> network behind the peer (100.X.X.X/25 - yes it begins with 100)
A_int1 -> default route (this is the default route)
A_int2 -> the VPNpeer is behind this IF (from my_VPN_GW's point of view)


The issue:

The if I initiate for eg. a ping from my_VPN_GW to a host in the B_enc, the traffic leaves on the A_int1, although the B_VPN_peer is behind A_int_2 IF.

If I create a static-route -> the traffic goes where it should.

My question would be, this is a normal behavior if the ENC_DOM is not RFC1918?

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
1 Solution

Accepted Solutions
Lesley
Leader Leader
Leader
‎2024-09-19 11:23 AM
Jump to solution

Routing is not always needed but it is documented as needed.

See

https://support.checkpoint.com/results/sk/sk180613

And https://support.checkpoint.com/results/sk/sk179485

If it is vsx or maestro check https://support.checkpoint.com/results/sk/sk160672

https://support.checkpoint.com/results/sk/sk76281

All above is based that I think this is regarding domain based tunnels

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

2 Replies
Lesley
Leader Leader
Leader
‎2024-09-19 11:23 AM
Jump to solution

Routing is not always needed but it is documented as needed.

See

https://support.checkpoint.com/results/sk/sk180613

And https://support.checkpoint.com/results/sk/sk179485

If it is vsx or maestro check https://support.checkpoint.com/results/sk/sk160672

https://support.checkpoint.com/results/sk/sk76281

All above is based that I think this is regarding domain based tunnels

-------
If you like this post please give a thumbs up(kudo)! 🙂
the_rock
Legend
Legend
‎2024-09-19 12:50 PM
Jump to solution

Hey bro,

I would say its normal, regardless. I actually wrote some docs about it, you can refer to below post. I know its route based tunnel to Azure, but it gives you an idea.

Hope it helps.

Andy

 

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events