This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SCSupport
Contributor
‎2023-07-28 03:48 AM
Jump to solution

VPN Routing between VPNS - multiple hub and spokes in Smart-1 Cloud

Hello all,

Have a unique consideration that I am wondering if anyone has anything creative.

I have a situation where within one management server in Smart-1 Cloud, I have a design where there are multiple hub and spokes, and many VPN's need to route via the gateway to get to other VPNS.

 

Examples are:

Remote access -> GW VA -> S2S VPN to Branch A

Remote access -> GW VA -> Branch B

Remote access -> GW ID -> Branch A

etc etc.

 

The obvious issue is that you can only enable VPN routing option ' and to other VPN targets' on 1 community, so only 1 of the above examples works.

 

I believe to do this you have to use vpn_route.conf. Thats fine, but how do you do this with Smart-1 Cloud?

Any suggestions if:

a) vpn_route.conf will solve this issue

b) if yes, any tips to getting this applied?

 

Up for creative ideas on also how this could work apart from suggestions to use a jump box unfortunately 😞 

 

Thanks all 😄 

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2023-07-28 06:07 AM
In response to SCSupport
Jump to solution

The only other possible way to make this work without modifying that file that I can see is if you had ALL "affected" gateways in the same star community. If that were the case, then you could easily utilize vpn routing options.

Andy

View solution in original post

9 Replies
SCSupport
Contributor
‎2023-07-28 04:59 AM
Jump to solution

Adding the topology below simplified. 

Spoken to TAC who have so far just suggested to add all the remote networks into the ENC domain of the RA community - which wont work on its own as we know.

 

Smsrt1PNG.PNG

 

0 Kudos
the_rock
Legend
Legend
‎2023-07-28 05:38 AM
Jump to solution

You can follow below:

https://community.checkpoint.com/t5/Security-Gateways/Routing-between-VPNs/td-p/90408

https://support.checkpoint.com/results/sk/sk26993

 

As far as modifying that file on S1C, thats no go, as ONLY .def files can be modified, as per below, so you need to get in touch with TAC to have them make desired change.

Andy

 

Screenshot_2.png

0 Kudos
SCSupport
Contributor
‎2023-07-28 06:03 AM
In response to the_rock
Jump to solution

Hey,

 

Thanks for the response.

 

Would you agree that vpn_route is the way to go about this to make this work? 

If so - I will chase TAC on this.

0 Kudos
the_rock
Legend
Legend
‎2023-07-28 06:04 AM
In response to SCSupport
Jump to solution

Yes AND yes : - )

Andy

the_rock
Legend
Legend
‎2023-07-28 06:07 AM
In response to SCSupport
Jump to solution

The only other possible way to make this work without modifying that file that I can see is if you had ALL "affected" gateways in the same star community. If that were the case, then you could easily utilize vpn routing options.

Andy

SCSupport
Contributor
‎2023-07-28 06:14 AM
In response to the_rock
Jump to solution

I think I tried this but I didnt seem to work. Not sure why. I presume you mean in relation to my topology above, VPN A and B would be in the same Star community, both as satellites and VPN routing option obviously ticked to 'and to other VPN targets' on that community.

 

In theory then, you should be able to route from remote access to BOTH VPNs as they are part of the same star, right?

0 Kudos
the_rock
Legend
Legend
‎2023-07-28 06:25 AM
In response to SCSupport
Jump to solution

Be free to message me offline, happy to do remote if you want. And yes, the way you described works, I had done it before. This was possible ages ago, so version you are on is totally irrelevant.

Andy

SCSupport
Contributor
‎2023-07-28 08:09 AM
In response to the_rock
Jump to solution

You are correct. Fully working - no issues at all!

 

Just typically had attempted this at midnight last time and forgotten NAT rules etc.

 

Perfect - great solution and the ONLY solution if you are using S1C.

 

Legend - have a great weekend.

0 Kudos
the_rock
Legend
Legend
‎2023-07-28 08:15 AM
In response to SCSupport
Jump to solution

Legend, thats what SHE said -:)

Just kidding, no one ever said that 😂😂

Anywho, happy we could help!

Have a nice weekend mate.

Cheers,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events