Within this example we will build a Route Based VPN between 2 SPLAT R65 NGX Check Point Firewalls. Static Routes will used to direct the traffic via the VPN Tunnel Interfaces.
In this example both Firewalls are managed by the same manager. The gateways are :
Site A - External 192.168.1.1 Inside 10.1.1.1
Site B - External 192.168.2.1 Inside 10.1.2.1
In order to build a route based vpn we need to create VPN Tunnel Interfaces. A VPN Tunnel Interface is a virtual interface on a VPN-1 module, which is associated with an existing VPN tunnel, and is used by IP routing as a point to point interface directly connected to a VPN peer gateway.
Virtual Tunnel Interfaces (VTI's)
VTIs can be created only on SPLAT and IPSO (3.9 or above). Though you can only create numbered VTIs within SPLAT. A numbered tunnel interface has a unique IP address assigned to it, while an unnumbered tunnel interface does not.
In order to create VTI`s you will need to ensure you are running SPLAT Pro. And that the Dynamic Routing feature is enabled. You will also need the nessecary license for this feature.
Steps
Create Object
Create a Group Object called Empty containing no objects within SmartDashboard
Site A
Create the VTI by running the command on Site A's CLI :
1.
vpn shell i a n 22.22.22.1 22.22.22.2 SiteB
Within the Gateway Object under Topology add you Object named Empty as your VPN Domain.
Within the Gateway Object under Topology use the "Get" icon to retrive your new VPN Tunnel Interface (VTI).
Site B
Create the VTI by running the command on Site B's CLI :
1.
vpn shell i a n 22.22.22.2 22.22.22.1 SiteA
Within the Gateway Object under Topology add you Object named Empty as your VPN Domain.
Within the Gateway Object under Topology use the "Get" icon to retrive your new VPN Tunnel Interface (VTI).
General
Create a new Meshed Site-2-Site Community within the VPN Community Tab.
Under General select Accept All Encrypted Traffic
Under Paricitpating Gateways add both Site A and Site B.
Push the Policy to both gateways.
Add Static Routes
On Site A add the following commands via the CLI :
1.
route add -net 10.1.1.0 netmask 255.255.255.0 dev vt-SiteB ; route --save
On Site B add the following commands via the CLI :
view sourceprint?
1.
route add -net 10.1.2.0 netmask 255.255.255.0 dev vt-SiteA ; route --save
