Fun with routing VPNs on Checkpoint..

Some useful notes from the field

2 ways of providing routes to a Checkpoint VPN. Lets focus on Domain based for now;

• Domain Based VPN
• Route Based VPN

For Domain Based VPNs you define your gateways (external, interop, actual etc.).  In the course of this you set up interfaces and an encryption domain per interface. Lets say we have something like this, lets look at routing and how to manage it.

Destination Host <--> router(s) <--> GW1 <---> GW2 <--> Source Host

The problem is the destination host is X amount of hops away from GW1 and while its network may be in GW1 encryption domain routing will fly out the door of GW2 external interface via the default route as GW2 doesn't know where Destination Host1 is. Adding a static route to GW2 won't help as you cannot tie the route to VPN interface like you can if you had a Route Based VPN.

Options???

1. Convert to a Route Based VPN - fair enough
2. Use NAT - fair enough again
3. Use $FWDIR/conf/vpn_route.conf on your management server to add a route to the VPN (this becomes a VPN route not a kernel route BTW

Check the Site to Site VPN Admin guide for syntax for your Checkpoint version.  Once done you will need to push policy to apply the change to your gateways.  Now all of this is well documented, for reference here are a few tools/commands to help with debug.

Debug - shows what happens to the packet

fw ctl zdebug drop | grep ip

Showing Encryption Domains on a  Gateway - Paste this lot into the CLI

if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]];then echo;tput bold;tput setab 1;echo ' Not a firewall gateway! ';tput sgr0;echo;else if [[ `grep R80.40 /etc/cp-release|wc -l` != 0 ]];then echo;tput bold;tput setab 1;echo -n ' Info: VPN Domain for Gateway Communities are currently not displayed correctly by this tool! ';tput sgr0;echo;fi;fw tab -t vpn_routing -u|awk 'NR>3 {$0=substr($0,2,28);gsub(", ", "");gsub("; ", "");gsub("..", "0x& "); print}'|xargs printf "%d.%d.%d.%d %d.%d.%d.%d %d.%d.%d.%d\n"|awk '{print $3"."$1" - "$2}'|sort -t . -k  1,1n -k 2,2n -k 3,3n -k 4,4n -k 5,5n -k 6,6n -k 7,7n -k 8,8n|sed 's/^/x/'|sed 's/\./\n\t/4'|awk '!x[$0]++'|sed '/x/s/$/\n\tEncryption domain/'|sed 's/x/\nVPN Gateway > /'|if [[ $(cat /etc/cp-release) != *"Embedded"* ]];then egrep -C 9999 --color=auto $'VPN Gateway|Encryption domain';else cat $1|sed 's/^\t//';fi;echo;fi;if [[ `grep R80.40 /etc/cp-release|wc -l` != 0 ]];then tput bold;tput setab 1;echo -n ' Info: VPN Domain for Gateway Communities are currently not displayed correctly by this tool! ';tput sgr0;echo;echo;fi

Example Output showing topology

VPN Gateway > 100.100.2.155
Encryption domain
100.100.2.155 - 100.100.2.155
103.23.143.142 - 103.23.143.142
172.16.3.98 - 172.16.3.98
172.18.16.0 - 172.18.16.31
172.18.16.33 - 172.18.16.33
172.18.16.64 - 172.18.16.95

VPN Gateway > 103.252.247.33
Encryption domain
10.16.1.0 - 10.16.1.255
10.16.255.0 - 10.16.255.255
10.20.3.215 - 10.20.3.215
....

Showing VPN Routes on a Gateway - not supported on embedded GAAI gateways

fw tab -f -t vpn_routing -u

Bit ugly so try this from Heiko Ankenbrand

echo -e "\033[0m####################\n# VPN Routing      #\n####################";fw tab -f -t vpn_routing -u 2>&1 |grep -v "+"| awk '{split($0,a,";"); print a[8]}' |sort -n |uniq | awk '{split($0,a," "); print a[2]}' | xargs -I % sh -c  'echo -n "External Gateway: ";echo -e "\033[0;31m % \\033[37m";echo -e "  Routing: \033[32m";fw tab -f -t vpn_routing -u 2>&1 |grep % |awk '\''{split($0,b,";"); print b[6] b[7]}'\''| sed 's/From\://'| sed 's/To\:/-/'|sort -u ;echo -e "\033[0m" '

Looks like this