This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Exonix
Advisor
‎2023-09-08 06:45 AM
Jump to solution

Route Base VPN with Cisco

Hello everyone,

please tell me if i'm on the right way. I saw some videos and tutorials, but they all are for a clustered connection.

On our side with have CP R80.40, remote side has a Cisco Router. They want Route Based VPN. What I will do:

1. create VTI in GAIA:

route_based_vpn.png

2. create Interoperable Device with Cisco Public IP

3. Create VPN-Community with empty encryption Domain (a VPN-community likewise for policy/domain Based VPN)

4. add static Route: remote network behind VTI

5. something else?

 

Thank you in advance!

0 Kudos
1 Solution

Accepted Solutions
Exonix
Advisor
‎2023-09-18 01:09 AM
Jump to solution

Unfortunately we didn't manage to make work GRE over IPsec on the CP R80.40. We have temporarily installed another server until we upgrade CP to R81

View solution in original post

15 Replies
the_rock
Legend
Legend
‎2023-09-08 11:42 AM
Jump to solution

MAKE SURE remote address is one used as default gateway for static route to remote site.

Check out this post 

Andy

 

Its cluster, but you get an idea, if you need help, we can do remote after hours

 

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-failover-issue/m-p/155553#M265...

0 Kudos
RS_Daniel
Advisor
‎2023-09-08 12:21 PM
Jump to solution

Hello,

The "peer" parameter is NOT the public ip address of the peer. It is the name of the object you created on smartconsole for cisco device. So you should switch steps 1 and 2. Also the static routes should use as next hope the vti interface and not ip address as next hop. I have had some issues using IP address instead of interface.

One missing step (should be number 3 on your example) is get interfaces on your R80.40 gateway object on smartconsole, it is not possible to create a VTI interface manully, it must be fetched by a get interfaces, i would use get interfaces without topology option.

And of course you must have rules that allow the traffic. I think that is all.

Regards

the_rock
Legend
Legend
‎2023-09-08 12:23 PM
In response to RS_Daniel
Jump to solution

Yes, very true about the peer, totally missed that part, it is indeed a NAME of interoperable object.

Andy

0 Kudos
Exonix
Advisor
‎2023-09-11 03:39 AM
In response to RS_Daniel
Jump to solution

Thanks for suggestions. One more question: get Interface - with or without Topology?

If I choose with - it changes all interfaces... I'm getting more 100 changes in total.

If I choose without - it also changes all interfaces, I'm getting ~26 changes (because I have ~26 interfaces) even I don't see any in the SmartConsole. To be honest, I have no desire to change any productive interfaces... What to do?

interfaces_without_topology.png

0 Kudos
the_rock
Legend
Legend
‎2023-09-11 04:12 AM
In response to Exonix
Jump to solution

I never do with topology, always without...if you do with topology option, it will reset everything to default.

Andy

RS_Daniel
Advisor
‎2023-09-11 05:36 AM
In response to Exonix
Jump to solution

Hello,

I would use get interfaces without topology. I understand what you say, it happens to me every time i create a new route based vpn. I am not sure why those changes appear, but it always happened every time i created a new vti, and the configuration never changed, so you could safely publish. If you want to be sure, you can check your previous configuration with  Policy Installation History feature, it will open a new smartconsole in read only mode with the policy you had before doing the fetch, and you will be able to compare the interfaces configuration.

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SecurityManagement_AdminGuid...

Regards

Exonix
Advisor
‎2023-09-11 08:07 AM
In response to RS_Daniel
Jump to solution

Thanks RS_Daniel, thanks  

The SmartView schows me the Tunnel is UP, but in the Logs I see all GRE traffic is rejected. I don't remeber any documentation tells to allow some traffic... Should I?

gre1.png

0 Kudos
RS_Daniel
Advisor
‎2023-09-11 08:29 AM
In response to Exonix
Jump to solution

Hello,

Is this a GRE tunnel? XD that would have been a good piece of information at the beginning jaja. GRE is supported starting in R81. From sk92845:

Generic Routing Encapsulation (GRE) Tunnels are not supported on Gaia OS running versions lower than R81.

Starting from R81, GRE Tunnels are supported.

Note: This is relevant to CloudGuard, as well as in physical appliances.

For R81 or newer versions:

https://support.checkpoint.com/results/sk/sk169794

Regards

 

 

0 Kudos
Exonix
Advisor
‎2023-09-12 06:11 AM
In response to RS_Daniel
Jump to solution

hi RS_Daniel,

yes, I've just got new info this is GRE over IPsec.

Offtopic - do we always need GRE-Interface for GRE-Tunnel?

0 Kudos
Exonix
Advisor
‎2023-09-12 06:55 AM
In response to RS_Daniel
Jump to solution

I found an article that CP supported GRE over IPsec even in 2011. I undersand, that it is different CP, but still... Can we configure GRE over IPsec?

GRE over IPsec - Checkpoint 572 

0 Kudos
the_rock
Legend
Legend
‎2023-09-12 07:00 AM
In response to Exonix
Jump to solution

Im prrtty sure its still supported, as per below.

Andy

https://support.checkpoint.com/results/sk/sk169794

0 Kudos
Exonix
Advisor
‎2023-09-13 12:05 AM
In response to the_rock
Jump to solution

Hello the_rock,

I'm sorry, but your link is about GRE Tunnel, which is not supported in R80.... It was already sent by RS_Daniel

0 Kudos
the_rock
Legend
Legend
‎2023-09-13 04:21 AM
In response to Exonix
Jump to solution

Right, but Im fairly sure its still supported.

Andy

0 Kudos
Exonix
Advisor
‎2023-09-18 01:09 AM
Jump to solution

Unfortunately we didn't manage to make work GRE over IPsec on the CP R80.40. We have temporarily installed another server until we upgrade CP to R81

the_rock
Legend
Legend
‎2023-09-18 04:45 AM
In response to Exonix
Jump to solution

Faitr enough. You may as well go with R81.20, as its recommended and super stable. 

Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events