The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
VPN Routing does not work and traffic to other satellites leaves in "clear" when setting up SmartLSM profile in Star Community and choosing the "To center and to other satellites through center" option
SmartProvisioning, IPSec VPN
Platform / Model
VPN Routing does not work and traffic to other satellites leaves in "clear" when setting up SmartLSM profile in Star Community and choosing option "To center and to other satellites through center".
According to the VPN Administration Guide, when dealing with SmartLSM Security Gateways, the option "To center and to other satellites through center" should be configured manually via the $FWDIR/conf/vpn_route.conf file.
Follow the steps below to configure the VPN routing option "To center and to other satellites through center" with SmartLSM Security Gateways.
Table of Contents:
The configuration file, "vpn_route.conf", is a text file that contains the name of network objects. The format is: Destination, Next hop router, Install on Security Gateway, Force Override (optional field). Fields must be separated by tabs.
Be very careful when editing this file. All entries in the relevant "vpn_route.conf" must be objects that exist in the management database. The names configured in this file must match the object names exactly.
On Provider-1 / Multi-Domain Server, the relevant "vpn_route.conf" file is located in various /opt/.../conf/ directories inside the Customer/Domain that manages the relevant Security Gateway / Cluster. The path starts with MDSDIR/customers/<Name of Domain Management Server that manages the Security Gateway>/fw1/conf/ (absolute path would be - /opt/CPmds-RXX/customers/<Name of Domain Management Server that manages the Security Gateway>/.../conf/).
The "vpn_route.conf" file has to be edited only on Security Management Server. The relevant code will be transferred to the Security Gateway during policy installation. Note: In Management HA environment, this procedure must be performed only on the Primary Management Server (changes will be automatically synchronized to the Secondary Management Server).
The "vpn_route.conf" file has to be edited in plain-text editor (Vi on Unix-based OS ; Notepad/Notepad++ on Windows OS).
All changes to the "vpn_route.conf" file will be overwritten when upgrading to a new version. Therefore, before the upgrade, these files should be backed up. After the upgrade, all the changes have to be made again manually. Do not copy the old files over the new ones, because the syntax and the content change between the versions.
Connect to the command line of the Security Management Server / Provider-1 Server / Multi-Domain Security Management Server that manages this Security Gateway / Cluster (over SSH, or console).
Log in to Expert mode.
On Provider-1 Server / Multi-Domain Security Management Server, switch to the context of the involved CMA / Domain Management Server: [Expert@HostName]# mdsenv <Name or IP address of Domain Management Server>
Back up the current "vpn_route.conf" file:
Note: Here, as an example, we work with the $FWDIR/conf/vpn_route.conf file on the Security Management Server.