Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
AmitS
Explorer

Site to Site VPN between two checkpoint gateway with CMS

Hi Guys,

I have 2 locations Site A and Site B, both are having Checkpoint gateway which is managed by CMS located at SiteA. 
Site A has 2 ISP links: ISP-1 and ISP-2, we are using ISP-2 for S2S vpn.

we want to create a s2s vpn between site A and site B.

Issue is when we push this VPN config on Site-B firewall then the policy install is stuck at 50% and we loose access of Site-B firewall.

So we perform unloadlocal, remove this VPN config for these two sites and push the policy and is successful.

Due to this issue we are not able to create a s2s vpn between these two sites.

Can anyone help me with a solution to overcome this?

Quantum Force (Security Gateways) 

 

 

0 Kudos
10 Replies
PhoneBoy
Admin
Admin

I suspect this is related to the other issue you posted about: https://community.checkpoint.com/t5/General-Topics/Checkpoint-Gateway-not-sending-logs-to-sms-over-w...
Fix that and you’ll probably fix this issue.

Also, if you’re using multiple ISPs and using a specific one for the VPN, you may need to configure Link Selection to ensure the correct IP on the correct link is used to establish the VPN.

0 Kudos
AmitS
Explorer

Logging issue is resolved after reworking on NAT rules. But this issue is still not resolved. 

Attaching reference architecture diagram. All firewall is Checkpoint managed from Central Location-A with Central CMS.

S2S VPN is established via ISP-2 on Central Location. Each spoke location has single ISP Link.

 

0 Kudos
the_rock
Legend
Legend

@PhoneBoy is correct...when using ISP redundancy, you would most likely need to change link selection in this case to reflect correct external IP address presented.

0 Kudos
AmitS
Explorer

Link selection is already configured with ISP-2 at site A.

Both the issues are different.

0 Kudos
AmitS
Explorer

If I want to exclude Control connections from VPN then what all services do I need to exclude including FW1, CPMi?

I think this might help in preventing the spoke to get isolated.

0 Kudos
PhoneBoy
Admin
Admin

Control Connections are already excluded from VPN.

AmitS
Explorer

Can anyone suggest me a solution as to how can I achieve this Hub and spoke architecture where spoke gateways are managed from public and sms is central.

I am stuck with this since last 15days. 

0 Kudos
PhoneBoy
Admin
Admin

You're using ISP-2 for the VPN, yet using ISP-1 for the management traffic, correct?
That is probably what is causing your issue here since this is likely creating an asymmetric routing condition.
You should use the same ISP for both VPN and management traffic and your management NAT address should reflect this.
If you need to use a different ISP to manage different gateways, then you may need to put in some manual rules in place.
In any case, I recommend a TAC case to further assist you with this issue.

0 Kudos
the_rock
Legend
Legend

Phoneboy is right, its already excluded by default.

0 Kudos
Blason_R
Leader
Leader

First and foremost if you are building a tunnel managed by same SMS then it will be a certificate based tunnel and certificates will be catered by mangement server. Now since peer IP happens to be (if) policy push or SIC IP then it would never happen. The Policy push will never happen through S2S tunnel due to implied rules and implied rules does not have VPN setting. In this case either you can disable Remote Control connections and and try building a manual rules for SIC/Policy push or NAT the Management server behind other IP which is not a VPN IP.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events