Support Center > Search Results > SecureKnowledge Details
VPN Routing does not work and traffic to other satellites leaves in "clear" when setting up SmartLSM profile in Star Community and choosing the "To center and to other satellites through center" option Technical Level
Symptoms
  • VPN Routing does not work and traffic to other satellites leaves in "clear" when setting up SmartLSM profile in Star Community and choosing option "To center and to other satellites through center".
Cause

According to the VPN Administration Guide, when dealing with SmartLSM Security Gateways, the option "To center and to other satellites through center" should be configured manually via the $FWDIR/conf/vpn_route.conf file.


Solution

Follow the steps below to configure the VPN routing option "To center and to other satellites through center" with SmartLSM Security Gateways.

Table of Contents:

  • Introduction
  • Notes
  • Procedure
  • Related documentation

Introduction

The configuration file, "vpn_route.conf", is a text file that contains the name of network objects. The format is: Destination, Next hop router, Install on Security Gateway, Force Override (optional field). Fields must be separated by tabs.

Notes

  1. Be very careful when editing this file. All entries in the relevant "vpn_route.conf" must be objects that exist in the management database. The names configured in this file must match the object names exactly.

  2. On Provider-1 / Multi-Domain Server, the relevant "vpn_route.conf" file is located in various /opt/.../conf/ directories inside the Customer/Domain that manages the relevant Security Gateway / Cluster.
    The path starts with MDSDIR/customers/<Name of Domain Management Server that manages the Security Gateway>/fw1/conf/
    (absolute path would be - /opt/CPmds-RXX/customers/<Name of Domain Management Server that manages the Security Gateway>/.../conf/).

  3. The "vpn_route.conf" file has to be edited only on Security Management Server. The relevant code will be transferred to the Security Gateway during policy installation.
    Note: In Management HA environment, this procedure must be performed only on the Primary Management Server (changes will be automatically synchronized to the Secondary Management Server). 

  4. The "vpn_route.conf" file has to be edited in plain-text editor (Vi on Unix-based OS ; Notepad/Notepad++ on Windows OS).

  5. All changes to the "vpn_route.conf" file will be overwritten when upgrading to a new version. Therefore, before the upgrade, these files should be backed up. After the upgrade, all the changes have to be made again manually. Do not copy the old files over the new ones, because the syntax and the content change between the versions.

 

Procedure

  1. Connect to the command line of the Security Management Server / Provider-1 Server / Multi-Domain Security Management Server that manages this Security Gateway / Cluster (over SSH, or console).

    Log in to Expert mode.

    On Provider-1 Server / Multi-Domain Security Management Server, switch to the context of the involved CMA / Domain Management Server:
    [Expert@HostName]# mdsenv <Name or IP address of Domain Management Server>

  2. Back up the current "vpn_route.conf" file:

    Note: Here, as an example, we work with the $FWDIR/conf/vpn_route.conf file on the Security Management Server.

    [Expert@HostName]# cp  $FWDIR/conf/vpn_route.conf  $FWDIR/conf/vpn_route.conf_BKP

  3. Open the current "vpn_route.conf" file in a plain-text editor:

    Note: Here, as an example, we work with the $FWDIR/conf/vpn_route.conf file on the Security Management Server.

    [Expert@HostName]# vi  $FWDIR/conf/vpn_route.conf

  4. Make the necessary changes in the file.

  5. Save the changes in the file and exit from the plain-text editor.

  6. Connect with SmartDashboard to Security Management Server / Domain Management Server.

  7. Install the Security Policy onto Security Gateway / Cluster object.

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment