This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
stallwoodj
Collaborator
Collaborator
‎2023-10-13 09:38 AM
Jump to solution

VSX VTI with static routes

Hi,

 

Are there any plans to enable static routing for VTI's in VSX?

I've created the VTI as per the manual (R81.10 manager and gateway), and got the interface in topology. However it doesn't add a route for the peer IP into the table, which means that any static routes via peer IP are unresolvable and thus rejected.

Ideally we'd have unnumbered tunnels and routing with interface next-hops, but that's still not supported either 😞

 

Thanks

Jamie

 

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee
‎2023-10-13 04:54 PM
Jump to solution

R81 introduced VTI support for VSX but only with dynamic routing to my knowledge.

"Configure Dynamic Routing VPN through Virtual Tunnel Interface (VTI) in VSX mode."

 

Maybe post R82 but please check it with your local SE who can raise any needed RFEs.

 

CCSM R77/R80/ELITE

View solution in original post

3 Replies
PhoneBoy
Admin
Admin
‎2023-10-13 01:32 PM
Jump to solution

I don't believe this is unsupported...otherwise, this thread would not have happened: https://community.checkpoint.com/t5/Security-Gateways/Routing-not-working-towards-VTI/m-p/121522#M17... 

I would check with the TAC: https://help.checkpoint.com

0 Kudos
stallwoodj
Collaborator
Collaborator
‎2023-10-19 09:25 AM
In response to PhoneBoy
Jump to solution

As it happens it turned out when I ran the vsx_util to create the VTI, it allowed me to use the same IP for BOTH ends of the numbered tunnel, without an error being thrown up either on the tool or in the vFW network topology! 

When I deleted and re-added the tunnel with the correct IP's a /32 route for the remote IP was injected into the VSX routing, with static routes to the remote IP appearing to be accepted (though I didn't confirm they actually did work).

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-10-13 04:54 PM
Jump to solution

R81 introduced VTI support for VSX but only with dynamic routing to my knowledge.

"Configure Dynamic Routing VPN through Virtual Tunnel Interface (VTI) in VSX mode."

 

Maybe post R82 but please check it with your local SE who can raise any needed RFEs.

 

CCSM R77/R80/ELITE

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events