topic Re: Need help with CloudGuard remote access VPN on Azure in Cloud Firewall

Solved: Need help with CloudGuard remote access VPN on Azure

RickyDan — Thu, 30 Jun 2022 03:28:26 GMT

I have a CloudGuard HA and management and my problem is remote access VPN is disconnecting roughly every 30 seconds. In the logs I can see "According to the policy the packet should not have been decrypted" is the reason tunnel test is being dropped.

Setup

Frontend subnet has NSG allowing all inbound and outbound traffic
image is R81.10
frontend eth0 leads to "external"
backend eth1 leads to "this network"
office mode configured (10.255.255.0/24)
remote access vpn domain does not contain office mode range
anti-spoofing is off on both eth0 and eth1
vpn link selection is statically NAT'd IP: public cluster VIP
outgoing VPN link is private cluster VIP

Things I tried:

Adding NAT rule as in sk106853 to translate tunnel test traffic to the public VIP to LocalGatewayExternal
Adding policy rule as in sk44075 to accept tunnel test mapped to LocalGatewayExternal
Modified (2) to also accept tunnel test to the public VIP
Turned on anti-spoofing for office mode as in sk44075. Anti-spoofing for eth0 and eth1 still off
Verified "accept control connections" and "accept remote access control connections" are checked

Solved: The public VIP has to be added to the remote access encryption domain. The other stuff in the "Things I tried" section are not needed except to make sure the implied rules in (5) are selected.

Re: Need help with CloudGuard remote access VPN on Azure

K_montalvo — Tue, 28 Jun 2022 21:04:47 GMT

Hello @RickyDan i think the issue could be using the office mode configured (10.255.255.0/24). Try using another subnet

Re: Need help with CloudGuard remote access VPN on Azure

RickyDan — Wed, 29 Jun 2022 01:19:00 GMT

Changed it to 10.10.10.0/24 and it did not work.

Re: Need help with CloudGuard remote access VPN on Azure

Nir_Shamir — Wed, 29 Jun 2022 09:45:40 GMT

what did you choose under "VPN Link Selection" ?

it should be "NATTED IP" with the Public IP of your CLUSTER VIP.

Re: Need help with CloudGuard remote access VPN on Azure

RickyDan — Wed, 29 Jun 2022 10:56:31 GMT

hi, yes that is how it is configured. forgot to put that in the post. the outgoing link is set as the private VIP.

Re: Need help with CloudGuard remote access VPN on Azure

Nir_Shamir — Wed, 29 Jun 2022 11:07:17 GMT

it need to be the Public VIP , not the private VIP.

Re: Need help with CloudGuard remote access VPN on Azure

RickyDan — Wed, 29 Jun 2022 11:14:50 GMT

hi, these are the current config for outgoing route selection. what do you recommend?

outgoing route selection:

setup:

source ip address setting:

Re: Need help with CloudGuard remote access VPN on Azure

Nir_Shamir — Wed, 29 Jun 2022 11:51:59 GMT

the outgoing is ok.

under the IPSEC VPN in the GW properties there's VPN LINK SELECTION.

what did you choose there ?

Re: Need help with CloudGuard remote access VPN on Azure

RickyDan — Wed, 29 Jun 2022 12:35:27 GMT

that is set to statically NAT'd IP: public cluster VIP