CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: 1100 - site to site route based VPN

  1. #1
    Join Date
    2006-03-21
    Posts
    2
    Rep Power
    0

    Default 1100 - site to site route based VPN

    Hi,

    I have an 1100 running latest version and need to setup a site-to-site VPN and route to that site only HTTP/HTTPS traffic.
    Im able to create IPSEC VPNs managed by the routing table but this configuration doesn't allow me to setup any source or service for the route so I can't accomplish it this way.

    Is there another way to setup a VPN Site to Site on those smaller devices that will allow be to route traffic based on source and service?

    Thanks!
    Fabio

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,621
    Rep Power
    9

    Default Re: 1100 - site to site route based VPN

    Quote Originally Posted by fabiomeneses View Post
    Hi,

    I have an 1100 running latest version and need to setup a site-to-site VPN and route to that site only HTTP/HTTPS traffic.
    Im able to create IPSEC VPNs managed by the routing table but this configuration doesn't allow me to setup any source or service for the route so I can't accomplish it this way.

    Is there another way to setup a VPN Site to Site on those smaller devices that will allow be to route traffic based on source and service?

    Thanks!
    Fabio
    I havenít tried that before but the route table seems to support that. Are you really using a vti or are you doing domain based vpn? Also is this centrally by a smart center?

  3. #3
    Join Date
    2006-03-21
    Posts
    2
    Rep Power
    0

    Default Re: 1100 - site to site route based VPN

    Thanks for your response.
    It seems to support, but when I try to set it up I get a message saying that source and service should be set to ANY.

    Im managing this appliance locally. don't have centralized management.

    Any ideas of how to set this up?

  4. #4
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,475
    Rep Power
    16

    Default Re: 1100 - site to site route based VPN

    VPN Service based link selection is not supported on the SMB appliances.
    It is listed as a known limitation.
    https://supportcenter.checkpoint.com...ionid=sk105380
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,621
    Rep Power
    9

    Default Re: 1100 - site to site route based VPN

    Quote Originally Posted by PhoneBoy View Post
    VPN Service based link selection is not supported on the SMB appliances.
    It is listed as a known limitation.
    https://supportcenter.checkpoint.com...ionid=sk105380
    But couldnít you do that with pbr and a vti?

  6. #6
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,475
    Rep Power
    16

    Default Re: 1100 - site to site route based VPN

    Quote Originally Posted by jflemingeds View Post
    But couldnít you do that with pbr and a vti?
    Except the WebUI is clearly not allowing this configuration.
    The fact it's limited as a known limitation suggests it's not an accident.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  7. #7
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,621
    Rep Power
    9

    Default Re: 1100 - site to site route based VPN

    Quote Originally Posted by PhoneBoy View Post
    Except the WebUI is clearly not allowing this configuration.
    The fact it's limited as a known limitation suggests it's not an accident.
    Challenge accepted!

    I made a bogus vti interface, then added a pbr route. Next hop options are ip, interface, vti vpn.

    If I chose next hop of remote vti peer it takes it. Granted this is not much of a test and could still not work.

    Btw is this really link selection? I thought that had to do with picking the out bound interface for encryption? could be very wrong.

Similar Threads

  1. TCP/UDP connections fail through Site-to-Site IPSec VPN - Check Point 1100
    By DawidK in forum Check Point Series 80/1100 Appliances
    Replies: 4
    Last Post: 2015-12-09, 10:24
  2. move from Site-to-site-vpn to route-based-vpn
    By maanstoot in forum Check Point UTM-1 Appliances
    Replies: 2
    Last Post: 2014-01-31, 06:49
  3. VPN site to site tunnel route all traffic through gateway stops working
    By EarthJuice in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2013-09-12, 11:16
  4. Route traffic from Office mode VPN to another network over site-to-site VPN
    By 007me in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2011-05-20, 13:19
  5. DNS based site to site VPN ??
    By tangerine0072000 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2006-11-07, 16:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •