Solved: route based VPN with remote access vpn

adamec · ‎2024-01-29

Hi guys,

we have remote location where we finish our remote access VPN. So there is an VPN community already populated and configured with IPs (hosts and networks).

Now we would like to configure an Route based VPN, and one of the steps to configure S2S route based VPN is to configure an Empty VPN domain and set this empty VPN domain as default choice. VPN Tunnel Interfaces (checkpoint.com)

But I cannot set an empty VPN domain there as we are already using an domain for Remote Access VPN.

What is a correct solution for our case?

the_rock · ‎2024-01-29

Not so sure Im following either lol

Here is my question. Are you not able to change it as per below screenshot?

Best,

Andy

Best,
Andy

View solution in original post

CaseyB · ‎2024-01-29

I have not configured a route-based VPN before, but if the perquisite is an empty VPN domain, I would like to think you can accomplish that using the granular VPN domain feature in R80.40+. Once you add the gateway into the VPN community, you should have the option to edit it to a user-defined group on the gateway page.

the_rock · ‎2024-01-29

What version are you on?

Andy

Best,
Andy

adamec · ‎2024-01-30

We are on 81.10

Bob_Zimmerman · ‎2024-01-29

Route-based VPNs only require one end to have an empty encryption domain. Just set the peer's to an empty group.

the_rock · ‎2024-01-29

I would not quite agree with that statement fully. We had case with TAC for probably 2 months in 2021 and no matter what we tried and advice we were given, VPN would never work with just as an empty group on azure interoperable object and actual VPN domain group on cluster end.

After so many hours of troubleshooting and who knows how many sessions, we ended up setting cluster enc domain to empty group as well and got all 5 tunnels working just fine, never had an issue since.

Best,

Andy

Best,
Andy

Bob_Zimmerman · ‎2024-01-29

Not sure what to tell you. It definitely only needs one encryption domain to be empty. It worked that way when I wrote DTAC's troubleshooting guide for route-based VPNs with R60, and I have some VPNs working that way right now.

the_rock · ‎2024-01-29

I know, I was quite surprised myself as well. But, at the end of the day, it works, so not too worried about it : - )

Andy

Best,
Andy

Machine_Head · ‎2024-01-29

Not sure I'm following you,

but the empty encdom is on the target peer, as Bob Zimmerman mentions.

Also Remote Access encdom can be separate to global S2S encdom.

You also have encdoms per community available to you:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/MicroCont...

the_rock · ‎2024-01-29

Not so sure Im following either lol

Here is my question. Are you not able to change it as per below screenshot?

Best,

Andy

Best,
Andy

adamec · ‎2024-01-30

Yes we did set it like on the screenshot but we haven't finished the VPN configuration yet. I will keep you updated

the_rock · ‎2024-01-30

Sure thing mate.

Best,

Andy

Best,
Andy

adamec · ‎2024-01-30

Okay it looks like encryption domains and communities work correctly like on the screenshot.

😄 but somehow CheckPoint did break our network. We set route based vpn with vti of lowest possible priority as a backup route to our MPLS. checkpoint started sending traffic via newly created vti.

We are troubleshooting the issue. But your solution works. something else broke up the network

the_rock · ‎2024-01-30

Well, as long as it works mate, Im happy : - )

Best,

Andy

Best,
Andy

Are you a member of CheckMates?

route based VPN with remote access vpn