CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E


Results 1 to 3 of 3

Thread: VPN Communities and routing between them

  1. #1
    Join Date
    Rep Power

    Default VPN Communities and routing between them

    This is going to come across as a dumb question here I am sure, but for the sake of my understanding please bear with me. I have attached a crude diagram so that it may be more easily conveyed.

    Rough Generic Site diagram.pdf

    Versions: R80 management, R77.30 5000 cluster with R77.20 1470's.

    Say we have a VPN community, we’ll call it 1, with remote sites that use 1470’s and a central 5000 cluster.

    We want it to be able to route or talk to VPN communities 2 and 3, which are to cloud infrastructure providers. They are not using Checkpoint devices.

    In my traditional way of thinking, all the remote sites come back to the 5000 cluster, which in this case would be able to direct the traffic correctly based on route (or policy route).

    When I read Checkpoint’s guides for configuring this, though, my lack of knowledge of Checkpoint makes me keep second-guessing everything I think of. Some of the engineers I’ve spoken with have been less than helpful in most cases so far, pointing me to various edits of vpn_routes.conf but with no real guidance. I'm not sure which way to go here, is there anyone who could steer me in the correct direction?

  2. #2
    Join Date
    Rep Power

    Default Re: VPN Communities and routing between them

    Enable Hub Mode on the VPN Gateway. Founder under VPN Clients / Remote Access

    Configure VPN Routing on the Star Community with the Central and Satellite to Allow to Connect to Central, Satellites and Internet so that can pass the traffic onwards.

    Then simply wrote rules permitting traffic from Source to Destination that passed across 1 Site to Site VPN to another. Left the VPN Column as Any.

    That worked for me in R77.x releases.

  3. #3
    Join Date
    Rep Power

    Default Re: VPN Communities and routing between them

    I see where this should normally be straight forward, however our configuration is a causing this to be a bit more complex; so here's the details:

    brief overview -

    VPN routing:
    5000 cluster is in HUB mode
    Community 1 - to center and satellites through center
    Community 2 - to center only
    Community 3 - to center only

    Our VPN domain for Community 1 excludes the remote site subnets which overlap existing declarations. So for example, 172.17 /16 and 172.18 /16 are in the encryption domain for Community 1, but the remote site subnet of 172.18.12 /24 is excluded from this. The remote gateway that holds 172.18.12 /24 is participating in Community 1, however, and can send the traffic back to all other peers participating in community 1 and everything within the encryption domain. Traffic destined for the internet at large will go out of the default gateway/modem at the remote site.

    Communities 2 and 3 were set up to facilitate a connection to other VPN entities, and therefore have their own encryption domains with the assumption that the 5000 cluster would be able to route the remote members of Community 1 automatically just by virtue of it knowing the routes to these communities (2 and 3). This seems to not be the case, as anything attempting to routing from a remote gateway to Community 3, for example, will just take the default gateway to the internet and never be seen as interesting or VPN traffic - thusly becoming discarded by internet routers as a whole at some point.

    So my question becomes - how do I tell the remote gateway in Community 1 that, for traffic living on Community 3, which has an encryption domain of 172.31 /16, to go back to the 5000 cluster and use Community 3 instead of out to the internet? Is it possible?

    I've tried a few different things, but so far no luck and in some cases it just breaks things. For example, changing VPN routing for Community 1 to allow for routing to center, through center and to other VPN and internet targets seems to then direct all traffic from the remote gateway back to the 5000 cluster, which is an undesirable result given our current configuration.

Similar Threads

  1. Problem routing between star communities (R77.30)
    By noqnoq in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2018-02-28, 19:23
  2. routing between 2 separate star communities on a gateway r77.20
    By bhavinjbhatt in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 8
    Last Post: 2015-09-28, 14:19
  3. VPN Routing Issue - 2 similarily defined VPN communities
    By hotice_ in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2009-02-04, 11:40
  4. functioning of vpn communities
    By sebastan_bach in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2008-05-27, 15:04
  5. 2 Different VPN communities and 1 BIG problem
    By Ckiller in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2007-01-18, 20:39


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts