topic VPN unnumbered VTI and ClusterXL in Firewall and Security Management

VPN unnumbered VTI and ClusterXL

P_Hippelainen — Wed, 06 May 2020 13:31:29 GMT

Hi there,

I've R80.20 open server cluster env. with ClusterXL and two VPN tunnels between AWS. These are configured with Numbered VTIs.
Now I need to add one VPN tunnel with Azure and there is Route-based or Policy-based VPN available.
I've understand that Route-based should be configured with Unnumbered VTI tunnel.
I found an old Checkpoint exam question from the year 2015 and an answer is that Unnumbered VTIs are only supported VRRP HA active-passive mode.
Is this same HA restriction still valid in R80.x?
I've read the Site to Site VPN Administration Guide R80.20 and all cluster examples is only for numbered VTI.

Thanks in advance.

Re: VPN unnumbered VTI and ClusterXL

PhoneBoy — Fri, 08 May 2020 20:06:59 GMT

I've never heard of that limitation myself.
Also don't see any mention of it in current docs.

Re: VPN unnumbered VTI and ClusterXL

Timothy_Hall — Fri, 08 May 2020 21:01:33 GMT

Unnumbered VTIs are not supported on the SecurePlatform OS, which is probably what that old exam question is referring to. They are supported on the Gaia OS according to sk109045.

Re: VPN unnumbered VTI and ClusterXL

P_Hippelainen — Fri, 15 May 2020 15:06:23 GMT

I've done this at first as numbered VTI (vpnt7) but the traffic goes a little bit strange.
VPN tunnel ID = 7
Local VIP 169.254.0.1
Remote address = "Azure public IP"
Interoperable Device = "Azure public IP", VPN domain = empty group
Cluster VPN domain = empty group
Cluster Network Topology vpnt7 = leads to specific (azure VM network)

Community: Star, Prefer IKEv2..., Set Permanent (on all...comm), One VPN t.../Gw pair, Disable NAT...

Policy:
from on-premise to azure = RDP,ICMP, VPN column = int>"comm", "comm">"comm", "comm">int
from azure to on-premise = RDP,ICMP

When the RDP connection is started from an on-premise client to a Azure VM, the connection is seen coming from the Internal interface (eth'x') and decrypted.
The VM will answer back from External interface (eth'y', not tunnel) but the on-premise cluster gateway drops it as address spoofing.

When the connection is started from Azure VM it's seen coming from External interface vpnt7 and it is accepted and the on-premise client will answer back.

I've no idea why the connection from on-premise to azure seems to be OK, but the answer is as address spoofing and it's seen as separate connection.

Thanks in advance.