CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: Remote Access VPN traffic route it through Site-Site VPN

  1. #1
    Join Date
    2012-06-13
    Posts
    343
    Rep Power
    6

    Default Remote Access VPN traffic route it through Site-Site VPN

    Hi Team,


    How do I implement below scenario where I have two firewalls one is CP and other Fortinet. I have built VPN between CP/Fortinet
    CP Enc Dom - 192.168.100/24, 192.168.101.0/24
    Office Mode Pool - 172.16.3.0/24

    Fortinet Enc Dom - 10.1.1.0/24

    Remote Access VPN users connecting to CheckPoint and with Office mode pool IP of 172.16.3.0/24 and I need to connect to 10.1.1.0/24 segment which is behind Fortinet.

    I guess once the user is through RA VPN not sure if I'll be able to route him through IPSec Site-to-Site tunnel?

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    198
    Rep Power
    12

    Default Re: Remote Access VPN traffic route it through Site-Site VPN

    It depends. Doing this domain-based for remote access, then route-based for the site-to-site would be pretty simple. I think you can do this with purely domain-based VPNs, but I am not able to test right now.

    Build a separate group for your remote access encryption domain. In that group, include 192.168.100/24, 192.168.101.0/24, and 10.1.1.0/24. Optionally, I think hub-mode would also achieve this goal.

    Add 172.16.3.0/24 to your site-to-site encryption domain. Communicate this to the Fortinet side so they modify their configuration to include it as well.

    This should get it working. This is my expectation of what should happen:
    1. The Fortigate's network in your remote access encryption domain should convince the client to send traffic destined for that network over the tunnel to your Check Point box.
    2. The Check Point box will receive it, decrypt it, then make the decision to encrypt it again (source is in my encryption domain, destination is in a peer's: flag for encryption to that peer).
    3. The Check Point box will route the traffic, then between o and O, it will encrypt it to the Fortigate.
    4. The Fortigate should receive it, decrypt it, see the source is in the Check Point's allowed sources and the destination is in the Fortigate's network.
    Zimmie

  3. #3
    Join Date
    2012-06-13
    Posts
    343
    Rep Power
    6

    Default Re: Remote Access VPN traffic route it through Site-Site VPN

    Somehow that is not working. Well rule sequence will matter in this case? I mean Remote Access vpn rules are below?

  4. #4
    Join Date
    2012-06-13
    Posts
    343
    Rep Power
    6

    Default Re: Remote Access VPN traffic route it through Site-Site VPN

    Hello,

    I did achieve that but not through the method that was specified. I did littel tweak.

    I Hide natted Office mode pool behind one of the Internal inteface of firewall so that rule looks like this

    OS 172.16.3.0/24
    OD 10.1.1.0/24
    XS 192.168.100.1 [H]
    XD ORIG


    And in the logs it started showing as VPN Routing.

  5. #5
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    198
    Rep Power
    12

    Default Re: Remote Access VPN traffic route it through Site-Site VPN

    Huh. You shouldn't need to have the hide NAT. That makes me suspect the Fortigate is not accepting negotiations for your Office Mode network block.

    If you're satisfied with keeping the NAT in place, there's no real reason to change it. If you want to remove the NAT (to help simplify troubleshooting, for example), I would start looking at the Fortigate's VPN config.
    Zimmie

Similar Threads

  1. VPN site to site tunnel route all traffic through gateway stops working
    By EarthJuice in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2013-09-12, 11:16
  2. Site to Site VPN +already running remote access vpn
    By catatonic in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2012-09-21, 01:51
  3. Route traffic from Office mode VPN to another network over site-to-site VPN
    By 007me in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2011-05-20, 13:19
  4. UTM-1 270 + Edge X Site to Site no access to remote LAN
    By sleight in forum Check Point UTM-1 Appliances
    Replies: 1
    Last Post: 2009-09-25, 14:00
  5. site to site & remote access can both be configured together?
    By Amit888 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 8
    Last Post: 2009-09-19, 14:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •