topic Re: IPsec VPN [NATting intresting traffic] config help in Firewall and Security Management

IPsec VPN [NATting intresting traffic] config help

Nick_Shah — Wed, 08 Sep 2021 23:20:59 GMT

I hope you all are doing well. After googling stuffs and reading blogs this is the first time i am configuring IPSec VPN on CP. But couldn't succeed. I want to establish IPSec VPN between CP and Palo Alto. I have all configs in place on PA and have same P1 & P2 algorithms setting on both FW. But my tunnel is not coming up.

On CP side: Original IP is 192.168.1.10 --> static NAT to 10.168.1.1 when it goes over tunnel to PA side.

CP eth1 IP is : 10.11.1.1

PA eth1/2 IP is :10.12.1.1

My underlay routing has no issues. Though i cannot ping from PA eth1/2 interface but i can ping from R12 e6/2 interface to CP eth1 interface. I have disabled address spoofing and allowed ping.

While pinging from PA, CP logs shows as "Clear text packet should be encrypted"

PING LOG

Could some one please help me with config i am missing here ?

BELOW URL HAS TOPOLOGY DIAGRAM:

https://imgurupload.org/files/DFB83F1F-9386-43C0-9D6E-4FCB45D7F95F.jpeg

CONFIG SNAP:

GatewayIntresting TrafficLink SelectionNATP1_P2settings(rest all option left as it is and also both FW has same secret key)Remote NAT :10.172.0.0/24

Thanks in advance

Re: IPsec VPN [NATting intresting traffic] config help

PhoneBoy — Mon, 06 Sep 2021 20:58:06 GMT

The reason you’re getting the clear text packet should be encrypted is Scenario 3 here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108600&partition=Advanced&product=IPSec#Scenario%203

When you say the tunnel is not coming up, what precisely do you see or don’t see?

Re: IPsec VPN [NATting intresting traffic] config help

the_rock — Mon, 06 Sep 2021 22:43:51 GMT

The sk phoneboy mentioned honestly, is by far, your article number 1 when troubleshooting any sort of VPN issue with Check Point. Scenario 3 definitely matches your description.

Re: IPsec VPN [NATting intresting traffic] config help

Nick_Shah — Tue, 07 Sep 2021 17:49:28 GMT

@PhoneBoy Thankyou for taking out your precious time and replying. I have made a .docx file. Please find it attached here. It contain all screenshot . I have been troubleshooting this since 2 days now, but couldn't figure figure out the missing/incorrect thing.

Re: IPsec VPN [NATting intresting traffic] config help

PhoneBoy — Tue, 07 Sep 2021 21:28:29 GMT

Remove the blackhole routes you've configured.

Re: IPsec VPN [NATting intresting traffic] config help

Nick_Shah — Wed, 08 Sep 2021 06:32:17 GMT

@PhoneBoy Blackhole route removed

From PA i initiated tunnel , below are the logsTUNNEL INITIATED FROM PA FROM CLI

ON CP (below output is when i initiated tunnel from PA)

SITEA-GW> vpn tu

********** Select Option **********

(1) List all IKE SAs
(2) * List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) * List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

* To list data for a specific CoreXL instance, append "-i <instance number>" to your selection.

(Q) Quit

*******************************************

Peer 10.12.1.1 , SITEB-PA-GATEWAY SAs:

IKE SA <3b9a97149bc884dd,edfb6f9b1501ee78>

SAs of all instances:

Peer 10.12.1.1 , SITEB-PA-GATEWAY SAs:

IKE SA <1586026f8eeeba33,bdafb0a3bbc94399>
(No IPSec SAs)

But ping didn't work from either end.

Re: IPsec VPN [NATting intresting traffic] config help

Nick_Shah — Wed, 08 Sep 2021 10:42:40 GMT

I am almost close to achieve this task.

Now i am getting below log

I found below code on CP community and i ran it, below is the output.

[Expert@SITEA-GW:0]# if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/nul l` != *'1'* ]]; then echo; tput bold; tput setab 1; echo ' Not a firewall gatewa y! '; tput sgr0; echo; else if [[ `grep R80.40 /etc/cp-release | wc -l` != 0 ]]; then echo; tput bold; tput setab 1; echo -n ' Info: VPN Domain for Gateway Comm unities are currently not displayed correctly by this tool! '; tput sgr0; echo; fi; fw tab -t vpn_routing -u | awk 'NR>3 {$0=substr($0,2,28); gsub(", ", ""); gs ub("; ", ""); gsub("..", "0x& "); print}' | xargs printf "%d.%d.%d.%d %d.%d.%d.% d %d.%d.%d.%d\n" | awk '{print $3"."$1" - "$2}' | sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n -k 5,5n -k 6,6n -k 7,7n -k 8,8n | sed 's/^/x/' | sed 's/\./\n\t/4' | awk '!x[$0]++' | sed '/x/s/$/\n\tEncryption domain/' | sed 's/x/\nVPN Gateway > /' | if [[ $(cat /etc/cp-release) != *"Embedded"* ]]; then egrep -C 9999 --col or=auto $'VPN Gateway|Encryption domain'; else cat $1 | sed 's/^\t//'; fi; echo; fi; if [[ `grep R80.40 /etc/cp-release | wc -l` != 0 ]]; then tput bold; tput s etab 1; echo -n ' Info: VPN Domain for Gateway Communities are currently not dis played correctly by this tool! '; tput sgr0; echo; echo; fi

Info: VPN Domain for Gateway Communities are currently not displayed correctly by this tool!

VPN Gateway > 10.12.1.1
Encryption domain
10.12.1.1 - 10.12.1.1
10.172.0.0 - 10.172.0.255

VPN Gateway > 192.168.1.1
Encryption domain
10.11.1.0 - 10.11.1.0
10.11.1.1 - 10.11.1.1
10.11.1.2 - 10.11.1.63
192.168.0.253 - 192.168.0.253
192.168.1.0 - 192.168.1.0
192.168.1.1 - 192.168.1.1
192.168.1.2 - 192.168.1.255

Info: VPN Domain for Gateway Communities are currently not displayed correctly by this tool!

[Expert@SITEA-GW:0]#

Re: IPsec VPN [NATting intresting traffic] config help

796570686578 — Wed, 08 Sep 2021 11:33:02 GMT

You usually get this error with mismatches in encryption domains(interesting traffic). In your VPN Community I can see that you have defined the EncDom for Palo Alto as "All IP Adresses behind this gateway according to topology". What does the topology look like? If the 10.172.0.10 is not within the topology of the Palo Alto GW on CheckPoint side, your CP will not see it as part of the encryption domain/interesting traffic.

What I would do: Create a Network Group, put the Subnets from PA that you want to be part of the tunnel into the network group and set the Network group as your encryption domain for the PA gateway.

I am also not sure if you are missing the CP NAT Subnet in the encryption domain on the CP side. As I can see, you have 192.168.1.0/24 defined as your encryption domain - but since you NAT it, the interesting traffic will actually be the NATed Subnet. Not sure if the NAT Subnet suffices in the encryption domain or if you need the 192.168.1.0/24 aswell.

Hope this helps!

Re: IPsec VPN [NATting intresting traffic] config help

Nick_Shah — Wed, 08 Sep 2021 12:20:45 GMT

@796570686578 i currently have this. Is it possible to add multiple subnet in encryption domain? i will try adding original and natted subnet and see if it works. PFA for encryption domain

Re: IPsec VPN [NATting intresting traffic] config help

796570686578 — Wed, 08 Sep 2021 12:26:40 GMT

Hi, yes exactly you can add multiple subnet in the Encryption domain by creating a Network Group object, adding subnets to that network group and then setting the network group object as the encryption domain!

Re: IPsec VPN [NATting intresting traffic] config help

the_rock — Wed, 08 Sep 2021 12:31:34 GMT

@Nick_Shah is 100% right and also, I will throw in what I find to be config that usually works. As Nick said, add a group with all the networks you want participating in VPN and also, as far as NAT, if its supposed to take place within VPN, make sure option is checked within VPN community and also, ensure that if there are networks where nat is not supposed to take place among them, create manual nat rule to reflect that.

Hope that helps.

Re: IPsec VPN [NATting intresting traffic] config help

Nick_Shah — Wed, 08 Sep 2021 16:21:25 GMT

Indeed !! that worked, i added original and natted subnet (192.168.1.0 & 10.168.1.0/24 under object group and added that group in encryption domain. Checkpoint is bit tricky to understand/troubleshoot.

@the_rock @796570686578 @PhoneBoy Thankyou everyone for your contribution, it really helped me to understand the ipsec with nat on CP.

Re: IPsec VPN [NATting intresting traffic] config help

the_rock — Wed, 08 Sep 2021 16:47:33 GMT

Thats what so great about websites like this. No matter the issue, there is always going to be someone that can help you and give suggestions. Glad it worked! But yes, CP can be a bit tricky, specially for someone new, as many things can involve modifications you might not be accustomed to when working with other vendors. Personally, I would say thats mostly due to the fact that everything is mostly controlled by management server, where with other vendors, thats not necessarily the case.

Re: IPsec VPN [NATting intresting traffic] config help

Nick_Shah — Wed, 08 Sep 2021 18:32:41 GMT

@the_rock I am very sorry to bother you again. Though ping from PA to CP is working fine, but CP to PA is failing. NAT and Security policies are correctly configured. I tried deleting phase 1 and 2 and reinitiated tunnel from CP. Phase 1 came up but phase 2 shows below

SAs of all instances:

Peer 10.12.1.1 , SITEB-PA-GATEWAY SAs:

IKE SA <fef1591def15bc75,e45b67b52d88ed60>
(No IPSec SAs)

other troubleshooting snaps attached

Re: IPsec VPN [NATting intresting traffic] config help

the_rock — Wed, 08 Sep 2021 18:30:26 GMT

K, message me privately, we can do remote in the morning if that works? Im in EST time zone