topic Re: Both RAVPN and S2S VPN between the same pair of gateways in Firewall and Security Management

Both RAVPN and S2S VPN between the same pair of gateways

MladenAntesevic — Tue, 06 Apr 2021 10:16:54 GMT

I have one unusual scenario where two gateways, lets say GW A and GW B, have established S2S VPN tunnel, but still I have a requirement from some customers located behind GW A to have RAVPN connectivity to some servers located behind GW B. S2S VPN is running smoothly, but RAVPN could not be established. I tried to exlude HTTPS and IKE services from the S2S VPN community, but without any success. I checked the logs where I see GW B is rejecting the phase 1 from RAVPN saying:

Main Mode Failed to match proposal: Transform: AES-256, SHA1, Pre-shared secret, Group 2 (1024 bit); Reason: Wrong value for: Authentication Method

RAVPN is using different proposal than S2S and it seems that GW B cannot differentiate between IKE messages generated by GW A and between IKE generated by side-A customers since they are coming from the same public IP address.

I know this is quite unusual to have such scenario, but I am wondering is there some kind ow workaround have to handle such a situation?

Re: Both RAVPN and S2S VPN between the same pair of gateways

Markus_Genser — Tue, 06 Apr 2021 10:43:40 GMT

Hello,

this is not as uncommon as you might think.

The main reason for the failing of the RA VPN is that the RA GW sees the IKE packet coming from the peer GW, which it knows is in a VPN community, and tries to create a new S2S tunnel.

Therefore it doesn't try to match the IPSec packet with the RA process and that's why the client connection fails.

In the cases I've encountered this, I took another free public IP on (in your case) GW A and created a hide NAT with this public IP Address for the client networks and the destination the RA GW B.

This way, the client RA VPN Traffic arrives on GW B with a different source IP as the S2S communities GW A and the RA VPN will be established.

Best regards,

Markus

Re: Both RAVPN and S2S VPN between the same pair of gateways

the_rock — Tue, 06 Apr 2021 14:30:04 GMT

Just curious, what is the actual error on RA side? Does it even create a site or that fails as well?

Re: Both RAVPN and S2S VPN between the same pair of gateways

MladenAntesevic — Tue, 06 Apr 2021 14:59:08 GMT

S2S VPN tunnel is forming OK, but RAVPN is not forming because RAVPN GW is trying to establish a new S2S tunnel as @Markus_Genser already described in details. I will test his proposal, I believe it is very good idea.

Re: Both RAVPN and S2S VPN between the same pair of gateways

Markus_Genser — Tue, 06 Apr 2021 15:08:02 GMT

In a vpn debug on the RA/S2S GW, you can see an entry, that the public IP from the client RA connect belongs to a peer GW for a VPN community and it tries to establish a S2S tunnel.

That pointed me in the past to the conclusion that the RA GW misinterprets the RA connect with the S2S and lead to the workaround with the second hide NAT.

Re: Both RAVPN and S2S VPN between the same pair of gateways

the_rock — Tue, 06 Apr 2021 15:13:56 GMT

Ah ok, I see now what you are saying. One thing I find sort of odd is that I did exactly same config with 2 customers and did not see this issue at all.

Re: Both RAVPN and S2S VPN between the same pair of gateways

MladenAntesevic — Wed, 07 Apr 2021 05:10:31 GMT

In my logs I saw that RA GW is actually trying to setup another S2S as @Markus_Genser explained. Very nice idea to use hide NAT as a workaround. I will try it today and keep you posted.

Re: Both RAVPN and S2S VPN between the same pair of gateways

MladenAntesevic — Wed, 07 Apr 2021 07:22:41 GMT

It is working, thanks @Markus_Genser