topic Re: Site to site - Encryption Domain Question in Firewall and Security Management

Site to site - Encryption Domain Question

RichGrant — Sat, 18 Feb 2023 09:45:16 GMT

Hi all,

I'm having a problem setting up a site to site with a remote peer. This is the last one of 6 we have moved over from our ASA to the firewalls. I've typed this from my phone, sorry for the basic formatting.

The specs of the site to site are:

Remote gateway: 142.152.123.66
Remote service over HTTPS: 142.152.123.67
Local encryption domain: 192.168.199.48/28
Access is required from our 10/8 internal network.

NAT Rule, SRC:10/8 DST:142.152.123.67 HIDE: 192.168.199.49

IKEv2 is negotiating ok.

The gateway is setup with per community domains. Tried per subnet and per gateway tunnel sharing.

Community:

Local: Group 10/8 & 192.168.199.48/28
Remote: 142.152.123.67

I have lab'd it up at home with the same IPs, apart from the remote peer, and it just works.

When I fw monitor the connection, I can see the packets go to the remote peer via my external interface, OE, over udp50 after the NAT.

The work fw sends the packet after NAT to the remote gateway over UDP500 through the external interface (O).

P.s. I have read every article on 3rd party vpns. Unless I'm not understanding the fault / resolution, I can't find the answer in there.

Could it have anything to do with the remote peer and remote endpoint both being on the internet and the IPs next to eachother (supernetting)?

Thanks in advanced

Rich

Re: Site to site - Encryption Domain Question

Chris_Atkinson — Sat, 18 Feb 2023 09:38:34 GMT

sk108600 - scenario 3 might be relevant based on the NAT you've shown

Re: Site to site - Encryption Domain Question

RichGrant — Sat, 18 Feb 2023 10:13:15 GMT

Hi Chris,

Thanks for the quick response.

I have read that article many times, but never picked up on:

3rd party devices may not include their external IP addresses in their VPN domain as opposed to Check Point Security Gateway.

Is there anyway to provide this? I don't see any errors in the logs. The remote peer has been quite rigid and only blamed our setup.

Thanks

Re: Site to site - Encryption Domain Question

G_W_Albrecht — Sun, 19 Feb 2023 09:21:40 GMT

I would suggest to contact TAC to get it resolved !

Re: Site to site - Encryption Domain Question

RichGrant — Sat, 04 Mar 2023 08:16:55 GMT

I've got it working now, but I'll be truthful and admit I hadn't configured it correctly and fully understood how it works. This is what I observed.

Firstly, I didn't know their end was configured as the initiator only. This was different to my lab. When they initiated the connection, the traffic selectors weren't matching with what I had configured in the local encryption domain.

They are using policy based routing only. I had to set the community to use One VPN per subnet pair. Setting One VPN per gateway pair only offered the universal TS's for IKE Auth.

I didn't know about the Peer ID. The other s2s's didn't use it. I only found this out when using Strongswan in my lab. I sent them the peer id of the internal cluster IP and it seems to be working now.

Thankfully this was the last one of 6 s2s's moved from our ASA to CP.

Thanks

Re: Site to site - Encryption Domain Question

Vladimir — Sun, 05 Mar 2023 00:20:30 GMT

Ry configuring VPN Community | Tunnel Management | Per each pair of hosts.