Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
adamec
Contributor
Jump to solution

route based VPN with remote access vpn

Hi guys,

we have remote location where we finish our remote access VPN. So there is an VPN community already populated and configured with IPs (hosts and networks). 

Now we would like to configure an Route based VPN, and one of the steps to configure S2S route based VPN is to configure an Empty VPN domain and set this empty VPN domain as default choice. VPN Tunnel Interfaces (checkpoint.com)

But I cannot set an empty VPN domain there as we are already using an domain for Remote Access VPN.

 

What is a correct solution for our case?

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

Not so sure Im following either lol

Here is my question. Are you not able to change it as per below screenshot?

Best,

Andy

 

 

Screenshot_1.png

View solution in original post

0 Kudos
13 Replies
CaseyB
Advisor

I have not configured a route-based VPN before, but if the perquisite is an empty VPN domain, I would like to think you can accomplish that using the granular VPN domain feature in R80.40+. Once you add the gateway into the VPN community, you should have the option to edit it to a user-defined group on the gateway page.

0 Kudos
the_rock
Legend
Legend

What version are you on?

Andy

0 Kudos
adamec
Contributor

We are on 81.10

0 Kudos
Bob_Zimmerman
Authority
Authority

Route-based VPNs only require one end to have an empty encryption domain. Just set the peer's to an empty group.

0 Kudos
the_rock
Legend
Legend

I would not quite agree with that statement fully. We had case with TAC for probably 2 months in 2021 and no matter what we tried and advice we were given, VPN would never work with just as an empty group on azure interoperable object and actual VPN domain group on cluster end.

After so many hours of troubleshooting and who knows how many sessions, we ended up setting cluster enc domain to empty group as well and got all 5 tunnels working just fine, never had an issue since.

Best,

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority

Not sure what to tell you. It definitely only needs one encryption domain to be empty. It worked that way when I wrote DTAC's troubleshooting guide for route-based VPNs with R60, and I have some VPNs working that way right now.

0 Kudos
the_rock
Legend
Legend

I know, I was quite surprised myself as well. But, at the end of the day, it works, so not too worried about it : - )

Andy

0 Kudos
Gojira
Collaborator
Collaborator

Not sure I'm following you,

 

but the empty encdom is on the target peer, as Bob Zimmerman mentions.

Also Remote Access encdom can be separate to global S2S encdom.

You also have encdoms per community available to you:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/MicroCont...

0 Kudos
the_rock
Legend
Legend

Not so sure Im following either lol

Here is my question. Are you not able to change it as per below screenshot?

Best,

Andy

 

 

Screenshot_1.png

0 Kudos
adamec
Contributor

Yes we did set it like on the screenshot but we haven't finished the VPN configuration yet. I will keep you updated

the_rock
Legend
Legend

Sure thing mate.

Best,

Andy

0 Kudos
adamec
Contributor

Okay it looks like encryption domains and communities work correctly like on the screenshot.

😄 but somehow CheckPoint did break our network. We set route based vpn with vti of lowest possible priority as a backup route to our MPLS. checkpoint started sending traffic via newly created vti.

We are troubleshooting the issue. But your solution works. something else broke up the network

0 Kudos
the_rock
Legend
Legend

Well, as long as it works mate, Im happy : - )

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events