This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
wp1
Explorer
Wednesday

VTI with policy based routing site2site question

Hi,

we have setup multiple VTI tunnels to remote sites (being either Checkpoints or other vendors) and use policy based routing to route all traffic from one or more internal subnet into tunnel (default gateway).

It now happened that one system within this local subnet needs to access services via VTI/PBR connection that have the same IP address as some local defined interfaces on our Checkpoint firewall.

Question is now: is it possible to use VTI/PBR to route all traffic from one or more local subnets to remote site - also including IP addresses that exist on local firewall?

Gateway is on R81.20.

Thanks and regards, W.

0 Kudos
5 Replies
the_rock
Legend
Legend
Wednesday

You can create route via web UI and use VTI interface for default gateway.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
Wednesday

I might not understand your question fully/clearly but locally initiated traffic from the gateway itself is a limitation of PBR.

Also is there a reason that you wouldn't resolve the IP conflict?

CCSM R77/R80/ELITE
0 Kudos
wp1
Explorer
Wednesday
In response to Chris_Atkinson

Imagine the following:

  +----------------------------+
  |                            |
  |      Checkpoint FW     +---+ vpntX +----- Customer network
  |                        |   |                |
  +--+-- vlan1 10.0.0.1/24-+   |                +-vlanX1 10.0.1.0/24---+-ServerX 10.0.1.1
  |  |                         |                |
  |  +-- vlan2 10.0.1.1/24     |                +-vlanX2 172.16.0.0/24-+-Server ....
  |  |                         |
  |  +-- vlan3 10.0.2.1/24     |
  |  |                         |
  |  +-------------------------+
  |
  +-- Server1 10.0.0.2

Local Network vlan1 is connected via vpntX to customer network. We use policy based routing and have set "default route"in policy table to route all traffic  via tunnel to customer network.

This would allow customer to have access to all local servers (within subnet 10.0.0.0/24) from remote networks and we do not have to take care which remote network exist. In addition we route all traffic from system Server1 to customers network to allow them full control of what can be accessed.

Now we have the Server1 in local vlan1 with IP 10.0.0.2 which needs to access ServerX on customer network vlanX1 (10.0.1.1) where this IP is already assigned to local IP interface for vlan2 on our Checkpoint firewall.

Currently access fails because Checkpoint receives this packet and it's not forwarded to remote site.

Logfile clearly shows that packet is received by interface vlan1 and destination is interface vlan2. Error message says "Clear text packet should be encrypted".

0 Kudos
the_rock
Legend
Legend
Wednesday
In response to wp1

So that error message means its NOT encrypted currently, so fw thinks it should be encrypted. Thats usually something vpn domain related.

Andy

0 Kudos
wp1
Explorer
Wednesday
In response to the_rock

Not sure because when using PBR with setting of default gateway we have to use an empty network group in satellite gateway / vpn domain.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events