CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: Problem routing between star communities (R77.30)

  1. #1
    Join Date
    2014-09-09
    Posts
    1
    Rep Power
    0

    Default Problem routing between star communities (R77.30)

    I have two star communities configured with a common Checkpoint hub. The satellites in each community are not Checkpoint devices.

    I need to route traffic from community A to community B, Hide natting both source and destination so neither community has visibility of the actual addresses they are accessing.
    I have enable routing to the centre or through the centre to other satellites, to internet and other VPN targets.
    Traffic is arriving at the hub gateway and the nat is being done, fw monitor -p all shows all stages accepted but traffic does not appear to get routed corrected.
    I have tried to use vpn_route.conf to specify the routing but this does not work with 3rd party satellites and installation of the policy fails.
    Anyone got any ideas?

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,229
    Rep Power
    13

    Default Re: Problem routing between star communities (R77.30)

    Quote Originally Posted by noqnoq View Post
    I have two star communities configured with a common Checkpoint hub. The satellites in each community are not Checkpoint devices.

    I need to route traffic from community A to community B, Hide natting both source and destination so neither community has visibility of the actual addresses they are accessing.
    I have enable routing to the centre or through the centre to other satellites, to internet and other VPN targets.
    Traffic is arriving at the hub gateway and the nat is being done, fw monitor -p all shows all stages accepted but traffic does not appear to get routed corrected.
    I have tried to use vpn_route.conf to specify the routing but this does not work with 3rd party satellites and installation of the policy fails.
    Anyone got any ideas?
    I don't know if VPN Routing is possible with non-Check Point satellites, you may need to employ Policy-Based Routing (PBR) to force traffic to go the right way at the hub. Remember that the order of operations for this will be source IP antispoof check, decrypt, policy check, destination NAT, route by IP, destination IP antispoof check, source NAT, encrypt.

    However what you are trying to do is a textbook example of how a route-based VPN works, but will require disabling CoreXL completely on your gateway since you are using R77.30. This CoreXL limitation is lifted in R80.10 gateway.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,632
    Rep Power
    9

    Default Re: Problem routing between star communities (R77.30)

    Quote Originally Posted by ShadowPeak.com View Post
    I don't know if VPN Routing is possible with non-Check Point satellites, you may need to employ Policy-Based Routing (PBR) to force traffic to go the right way at the hub. Remember that the order of operations for this will be source IP antispoof check, decrypt, policy check, destination NAT, route by IP, destination IP antispoof check, source NAT, encrypt.

    However what you are trying to do is a textbook example of how a route-based VPN works, but will require disabling CoreXL completely on your gateway since you are using R77.30. This CoreXL limitation is lifted in R80.10 gateway.
    I did this using domain based VPN and 3rd party. Pfsense -> ipsec -> checkpoint -> ipsec Pfsense.

    http://blog.spikefishsolutions.com/2...ay-as-hub.html

    man i hope i combed that for spelling mistakes.

    Pfenses terminate a vpn on the checkpoint and don't know about each other. I think the key was making sure the encryption domain of the remotes doesn't overlap (including nats) with the encryption domain of the center gateway.

Similar Threads

  1. Configure STAR or MESH VPN Communities on Check Point 1100
    By bhavinjbhatt in forum Check Point Series 80/1100 Appliances
    Replies: 3
    Last Post: 2017-05-11, 14:33
  2. routing between 2 separate star communities on a gateway r77.20
    By bhavinjbhatt in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 8
    Last Post: 2015-09-28, 14:19
  3. NGX route traffic from star to mash communities
    By kalman in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2011-01-29, 03:56
  4. VPN Routing Issue - 2 similarily defined VPN communities
    By hotice_ in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2009-02-04, 11:40
  5. Star communities, merging, and site to site
    By toastyhamster in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2008-02-01, 07:51

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •