Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
00071491
Contributor

Design and Concept: Acting as a Proxy Organization in VPN Tunnel

Hi All,

Running R80.40 and have a question regarding IP routing through a site-to-site VPN.  My Org has a private fiber connection to Company A, with one hop in between.  Company B and my org are standing up a new site-to-site VPN.  Company B needs access to data in Company A, using My Org as a connecting point.  CompA will not allow CompB to directly connect to them via VPN and CompA requires CompB to jump through My Org first.  This is atypical for us and unfamiliar with how this may work.

Question:  How can the VPN between My Org and CompB be set up to allow CompB access to the subnets at CompA?  My confusion is on my side of the VPN Domain and routing pass through.

Any ideas or suggestions would be appreciated.

Rory

0 Kudos
4 Replies
Ruan_Kotze
Advisor

On your side you can do a Star community, with yourself as center and CompA and B as satellites.  Make sure to select the option route through center and to create the policies to allow traffic.

Assuming CompB is a Check Point not managed by your SMS, on that SMS you will have the encryption domain for the My Org firewall to include CompA.

0 Kudos
00071491
Contributor

Thanks for the reply.  CompA and MyOrg are not connected via Site to Site VPN....just a secured fiber link between us.  I should have clarified better in the initial posting.  Unsure if the Star community as you described will still work in that case?  Could I still include the CompA subnets in my local encryption domain even though I don't provide those subnets?

I may be overthinking this design, but it's throwing me for a loop.

0 Kudos
Ruan_Kotze
Advisor

Not necessary to change the community to Star, but I'm sure you will need to have CompA subnets in your encryption domain.  If not, your gateway will drop encrypted packets destined to CompA coming through the CompB tunnel (you'll get a log entry saying encrypted packet should be clear text).

You will need to double-check that your firewall routing is correct, also the CompA network will need to route return traffic via your gateway. Anti-Spoofing on the internal CP interface might also drop return traffic, so keep an eye on that.

 

0 Kudos
00071491
Contributor

I'll give that a try, thank you for the suggestions.  I report back our findings once we've had a chance to work with the other parties involved.

0 Kudos