This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Darren_Fine
Collaborator
‎2020-04-21 02:23 PM
Jump to solution

VPN routing between 3rd party A VTI VPN --> CP --> 3rd Party Domain based VPN

Hi there,

I have a client who has 2 vpns between 3rd parties like so :

1) VTI route based VPN between 3rd party (SiteA) and (HUB CP Gateway) (own star vpn community)

(SiteA- 10.0.0.0/13) ----routed VTI-------- (HubCPgateway - 172.16.9.0/24)

2) Domain based VPN between 3rd party (SiteC)and (HUB CP Gateway) (own star vpn community) (using one tunnel per Gateway setting) 

(HubCPgateway - 172.16.9.0/24) ----Domain Based VPN---(SiteC- 10.200.0.0/19)

Now for whatever reason the client wants to route traffic between the two third party sides (they own the equipment at the 3rd party sites and need to replicate).

So wants Site A and SiteC to talk via HubCPGateway like so :

(SiteA- 10.0.0.0/13)-------routed--VTI------(HubCPgateway- 172.16.9.0/24)-------Domain Based VPN------(SiteC- 10.200.0.0/19)

I tried to ADD the networks in SiteC into HUB CPGateways encryption domain and just route the traffic from SITEA via the routed VTI . The traffic does come down the vpn but then gives the traffic gives the error "according to policy packet should not have been decrypted " .

 

I also tried to ADD networks in SiteC and SiteA into HUB CPGateways encryption domain this made no difference. I was thinking that R80.40 which allows for different encryption domains per vpn community may assist me with this.

(or do I need to change a user.def file ? )

 

I did see a whole section in the manual where they use the vpn_route.conf file to route traffic between vpns but in that scenario all the gateways were CP gateways and managed by the same Management station.

 

Is it possible to do it with R80.30 ? If yes how ?

If not do you think it will be possible with R80.40 ?

 

Thanks in advance.

 

 

1 Solution

Accepted Solutions
Darren_Fine
Collaborator
‎2020-04-28 11:44 AM
In response to PhoneBoy
Jump to solution

Hi ,

This did work with the help of the R80.40 different Encryption domains for each community. (could not do it without this)

Also used the vpn_route.conf to allow the inter vpn routing on the Check Point Hub Gateway. (only for traffic to go into the Domain based VPN - the VTI just worked with routing.)

No nat necessary but obviously the correct routing was required on both the 3rd party VTI VPN side and the 3rd party Domain based side.

Very impressed this worked:-) Love R80.40 now!!!

 

First time I have ever seen the VPN routing Icon --great stuff!!

View solution in original post

Preview file
20 KB
8 Replies
PhoneBoy
Admin
Admin
‎2020-04-21 10:01 PM
Jump to solution

You're talking about route-based VPN and Encryption Domains.
The encryption domain for a route-based VPN is 0.0.0.0/0.
Routing to the VTI interfaces determine what is encrypted.
This isn't any different in R80.40
Darren_Fine
Collaborator
‎2020-04-21 11:38 PM
In response to PhoneBoy
Jump to solution

Hi Phoneboy, 

Only one of the vpns is a VTI. 

The other VPN is a normal domain based VPN. 

 

As mentioned customer wants to route via the check point "hub" from the one to the other. 

 

(obviously there are additional vpns that I don't want to break in the process) 

 

Thanks

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-22 10:14 AM
In response to Darren_Fine
Jump to solution

Ok, that kind of makes sense.
Note that when you mix route-based VPNs and domain-based VPNs on the same gateway, the configuration for domain-based VPNs applies first.
Which means: your domain-based VPN configuration should not include anything covered by the route-based VPN configuration.
You might need to use IP Pool NAT here to ensure traffic is routed back and forth correctly in this instance.
0 Kudos
Darren_Fine
Collaborator
‎2020-04-28 11:44 AM
In response to PhoneBoy
Jump to solution

Hi ,

This did work with the help of the R80.40 different Encryption domains for each community. (could not do it without this)

Also used the vpn_route.conf to allow the inter vpn routing on the Check Point Hub Gateway. (only for traffic to go into the Domain based VPN - the VTI just worked with routing.)

No nat necessary but obviously the correct routing was required on both the 3rd party VTI VPN side and the 3rd party Domain based side.

Very impressed this worked:-) Love R80.40 now!!!

 

First time I have ever seen the VPN routing Icon --great stuff!!

Preview file
20 KB
Ara_Zohrabian
Explorer
‎2021-04-22 05:48 AM
In response to Darren_Fine
Jump to solution

Hi, i have the same issue with vpn_route.conf. How do you put Interoperable Device in your vpn_route.conf ?

Thanks

0 Kudos
Darren_Fine
Collaborator
‎2021-04-22 08:50 AM
In response to Ara_Zohrabian
Jump to solution

Hi Ara_Zohrabian,

 

The format I used was

 

<Remote_Encryption_Domain_subnet> <Remote_vpn_peer> <Local-Gateway>

 

All the names are as per the objects names in the policy.

 

Hope that helps.

 

Regards

0 Kudos
Ara_Zohrabian
Explorer
‎2021-04-23 06:56 AM
In response to Darren_Fine
Jump to solution

Hi, to be able to reach 10.200.0.0/19 (SiteC) from 10.0.0.0/13 (SiteA), you must add 10.0.0.0/13 in the HubCPgateway encryption domain to SiteC. But i am always receiving the error "according to policy packet should not have been decrypted" because 10.0.0.0/13  cannot be in both VPN (route base VPN and the domain base VPN). Do you have an idea?

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2021-04-23 10:35 AM
In response to Ara_Zohrabian
Jump to solution

You can't have overlapping encryption domains regardless of whether it's domain or route-based VPNs.
That can only be resolved by renumbering or NAT.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events