topic Re: Site to Site VPN no SSH access to servers in Firewall and Security Management

Site to Site VPN no SSH access to servers

Arthurs — Wed, 13 Jan 2021 14:54:22 GMT

Hello,

I'm new to checkpoint and currently I'm confused with one case.

While I'm connected to the Site A network behind Site A Gateway which is connected via Site-to-Site VPN to B Gateway I'm unable to access resources located in B network via SSH.

But resources is still reachable via https, http, icmp.
Also we have IPsec VPN configuration with Network C, and for remote VPN clients everything is working.

What I can see in logs that source: My PC, dst: Linux server, action: accept, origin: VPN Gateway, so from here everything looks just fine but in same time Linux server not receiving any connections to it.

In same time connection via RDP to Windows servers are working.

VPN Community topology is Star, and SSH is in Excluded Services.

Telnet from PC showing that port 22 is closed.

GW versions R80.30

If any other info is needed please let me know.

Br, Arthurs

Re: Site to Site VPN no SSH access to servers

Arthurs — Wed, 13 Jan 2021 15:01:38 GMT

I've checked security policy rules and all traffic and services are allowed from Network A to Network B, also I've tried to create rule for testing purposes allowing SSH service from my PC to Linux server, and again in logs I could see that these connection is accepted and correct policy number.

Regarding server firewall is disabled and it's listening for port 22 from all networks.

Re: Site to Site VPN no SSH access to servers

PhoneBoy — Wed, 13 Jan 2021 15:50:17 GMT

If SSH is listed in Excluded Services and it’s not working, maybe you need to remove it from Excluded Services?
Or the remote site needs to update their configuration so it’s added as an Excluded Service?

Re: Site to Site VPN no SSH access to servers

Bob_Zimmerman — Wed, 13 Jan 2021 15:55:55 GMT

If SSH is in Excluded Services ... then it will be excluded from the VPN and be sent in the clear. That's what that setting tells the firewall to do. If the destination is private, you won't be able to reach it over the Internet without using the VPN.

Why is SSH in the Excluded Services for the VPN? There may be a better way to meet the requirement.

Re: Site to Site VPN no SSH access to servers

Arthurs — Thu, 14 Jan 2021 06:27:35 GMT

I will try to remove it from Excluded later today and see if it will work.

What do you mean by "Or the remote site needs to update their configuration so it’s added as an Excluded Service?" The "Remote site", lets call it network B and my site Network A are connected to each other via IPsec Tunnel and using one VPN community where this setting are set, is there any other place where this configuration should be set for Network B? Both Firewalls in these networks are centrally managed.

Re: Site to Site VPN no SSH access to servers

Arthurs — Thu, 14 Jan 2021 06:32:41 GMT

I will try to remove it from Excluded Services later today and update here about results.

What do you mean by "Or the remote site needs to update their configuration so it’s added as an Excluded Service?"

Remote site is Network B, my site is Network A, they are both connected via IPsec tunnel which is a part of VPN community where this setting are set, is there any other place where I should change this configuration for Network B?

Both Firewalls are centrally managed.
I'm connecting to server private IP address, not to public gateway IP.

Re: Site to Site VPN no SSH access to servers

Arthurs — Thu, 14 Jan 2021 07:55:44 GMT

Thanks, I have removed SSH from Excluded Services and now connection is working.

I'm still not sure about what did you mean "remote site needs update their configuration" the remote site and my location are both connected via IPsec tunnel and are part of same VPN community, so they share Excluded Services list, or I understand this wrong?P.S. I have replied 2 times these morning, but replies didn't appear, I'm not sure is it some kind pre-post checks happening, but in case there will be 3 replies sorry for that.

Re: Site to Site VPN no SSH access to servers

Bob_Zimmerman — Thu, 14 Jan 2021 21:14:13 GMT

There are a lot of ways to use Check Point VPN-1 and a lot of ways to use SSH. Depending on what you want to do with either, you may need to exclude SSH, or define things more granularly with user.def.

For example, if you control both sites, you may want to exclude SSH so you can still SSH from one site to the firewall at the other site for troubleshooting even if the VPN is broken.

Re: Site to Site VPN no SSH access to servers

PhoneBoy — Fri, 15 Jan 2021 04:45:30 GMT

“Or the remote site needs to update their configuration so it’s added as an Excluded Service” assumed the site was managed/controlled by a third party.