Route-based VPN is supported on Security Gateway running on Gaia OS, SecurePlatform OS and IPSO OS (3.9 and above) only.
In addition, route-based VPNs require implementation between two Security Gateways, within the same VPN Community, with Wire Mode enabled in a satellite Community and on Center Gateways, and traffic routes between Satellite Gateways within the Community.
The Center Gateways only route traffic, therefore Stateful Inspection does not need to take place on these Gateways. Stateful Inspection does take place on the Satellite Gateways in the Community. The tunnel itself with all its properties is defined as before, by a VPN Community linking the two Gateways. The peer Gateway should also be configured with a corresponding Virtual Tunnel Interface (VTI).
Enabling route-based VPN in SmartDashboard:
Note: Route-based VPN requires an empty group (Simple Group), created and assigned as the VPN Domain.
- Go to "Manage" menu - click on "Network Objects...".
- Select the Check Point Gateway, and click on "Edit".
- Go to "Topology".
- In the "VPN Domain" section, select "Manually defined".
- Click on "..." on the right end of this field to select the desired object - click on "New..." - click on "Group" - click on "Simple Group...".
- Enter the desired name and click "OK". Do NOT assign any objects to this group.
- Click on OK to apply the settings.
- Install policy in this Security Gateway.