This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Duane_Toler
MVP Silver
MVP Silver
‎2025-03-06 09:50 PM

You can't do it this way.

* Domain based VPNs take precedence over route-based VPNs.  If you have multiple communities, (some route-based, some domain-based), *AND* there's a chance of a pair of networks overlapping across the communities, then a domain-based VPN will be attempted.

* You can't have a VPN community with GwA having a VPN domain [with objects] defined, and GwB an empty VPN domain.  This won't trigger the route-based VPN domain code.

* Route-based VPNs need to be IKEv2 with Universal Tunnels (One subnet per gateway pair), for best effects (yes you can do it with IKEv1 but it's not as compatible; just avoid it).

* You mention cluster, with BGP, so you'll want to consider:

  • unnumbered VTIs
  • create a loopback on the cluster members (because VTIs are unnumbered)
  • attach the VTI to the loop00 interface on each member (VTI has to proxy off of something)
  • create a cluster VIP for the loop00 interface in the gateway topology (VIP is the BGP peering point)
  • configure eBGP with multi-hop and TTL 2 or 3 (2 should be enough) (because loop00 is 2 hops across the VTI)
  • configure the remote gateway's BGP peer to use the loop00 VIP (the purpose of this mission)
  • add a static route to the loop00 VIP onto the local vpnt interface (nexthop gateway logical vpnt#)

The static route establishes reachability to the BGP peer loop00 (because the eBGP peer is now 2 hops away).

Using loop00 VIP for eBGP on route-based VPNs is the best way to go.  You can then build your routemap policies as needed.

You can even enable BFD (ip-reachability-detection) for the BGP peers; be sure to use "ip-reachability-detection multihop local-address <ip of loop00>" on the BGP configuration.  This is because BFD must originate from the BGP peer IP.

 

Tread carefully with mixing route-based and domain-based VPNs.  You'll almost certainly want to use Encryption Domains per Community instead:

* Edit community

* Click on a gateway in the list

* Click the pencil icon (or double-click) to open a new VPN domain window for the gateway

You can choose a new VPN domain group to be active per community.  This has some other limitations, but overall it works well. 

 

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
(2)
Who rated this post