CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: 1100 - site to site route based VPN

  1. #1
    Join Date
    2006-03-21
    Posts
    2
    Rep Power
    0

    Default 1100 - site to site route based VPN

    Hi,

    I have an 1100 running latest version and need to setup a site-to-site VPN and route to that site only HTTP/HTTPS traffic.
    Im able to create IPSEC VPNs managed by the routing table but this configuration doesn't allow me to setup any source or service for the route so I can't accomplish it this way.

    Is there another way to setup a VPN Site to Site on those smaller devices that will allow be to route traffic based on source and service?

    Thanks!
    Fabio

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: 1100 - site to site route based VPN

    Quote Originally Posted by fabiomeneses View Post
    Hi,

    I have an 1100 running latest version and need to setup a site-to-site VPN and route to that site only HTTP/HTTPS traffic.
    Im able to create IPSEC VPNs managed by the routing table but this configuration doesn't allow me to setup any source or service for the route so I can't accomplish it this way.

    Is there another way to setup a VPN Site to Site on those smaller devices that will allow be to route traffic based on source and service?

    Thanks!
    Fabio
    I havenít tried that before but the route table seems to support that. Are you really using a vti or are you doing domain based vpn? Also is this centrally by a smart center?

  3. #3
    Join Date
    2006-03-21
    Posts
    2
    Rep Power
    0

    Default Re: 1100 - site to site route based VPN

    Thanks for your response.
    It seems to support, but when I try to set it up I get a message saying that source and service should be set to ANY.

    Im managing this appliance locally. don't have centralized management.

    Any ideas of how to set this up?

  4. #4
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: 1100 - site to site route based VPN

    VPN Service based link selection is not supported on the SMB appliances.
    It is listed as a known limitation.
    https://supportcenter.checkpoint.com...ionid=sk105380
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: 1100 - site to site route based VPN

    Quote Originally Posted by PhoneBoy View Post
    VPN Service based link selection is not supported on the SMB appliances.
    It is listed as a known limitation.
    https://supportcenter.checkpoint.com...ionid=sk105380
    But couldnít you do that with pbr and a vti?

  6. #6
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: 1100 - site to site route based VPN

    Quote Originally Posted by jflemingeds View Post
    But couldnít you do that with pbr and a vti?
    Except the WebUI is clearly not allowing this configuration.
    The fact it's limited as a known limitation suggests it's not an accident.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  7. #7
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,657
    Rep Power
    10

    Default Re: 1100 - site to site route based VPN

    Quote Originally Posted by PhoneBoy View Post
    Except the WebUI is clearly not allowing this configuration.
    The fact it's limited as a known limitation suggests it's not an accident.
    Challenge accepted!

    I made a bogus vti interface, then added a pbr route. Next hop options are ip, interface, vti vpn.

    If I chose next hop of remote vti peer it takes it. Granted this is not much of a test and could still not work.

    Btw is this really link selection? I thought that had to do with picking the out bound interface for encryption? could be very wrong.

Similar Threads

  1. TCP/UDP connections fail through Site-to-Site IPSec VPN - Check Point 1100
    By DawidK in forum Check Point Series 80/1100 Appliances
    Replies: 4
    Last Post: 2015-12-09, 10:24
  2. move from Site-to-site-vpn to route-based-vpn
    By maanstoot in forum Check Point UTM-1 Appliances
    Replies: 2
    Last Post: 2014-01-31, 06:49
  3. VPN site to site tunnel route all traffic through gateway stops working
    By EarthJuice in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2013-09-12, 11:16
  4. Route traffic from Office mode VPN to another network over site-to-site VPN
    By 007me in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2011-05-20, 13:19
  5. DNS based site to site VPN ??
    By tangerine0072000 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2006-11-07, 16:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •