topic issue on route based vpn tunnel with checkpoint VSX and AWS in Firewall and Security Management

issue on route based vpn tunnel with checkpoint VSX and AWS

kuber — Mon, 20 Mar 2023 14:10:22 GMT

HI,

I have built a VPN Site to Site tunnel between Checkpoint VSX and AWS VPN gateway, this is route based VPN tunnel.

in high level steps, what i did

1- created virtual tunnel interface VTI - using this command -

vsx_provisioning_tool -o add interface vd vs1 vpn_tunnel numbered peer AWS_Peer local y.y.y.y remote x.x.x.x tunnel_id 10

2- Added static route for AWS VPC CIDR and gateway is z.z.z.z

3- created Mesh Community in checkpoint firewall with "Blank Domain Encryption"

4- then Created ACL in firewall with VPN domain in the rule.

After completing these steps, i asked remoted end part at AWS side to initiate the traffic then

1- both side can be seen UP.

2- But traffic is is getting block on firewall with No Reason For Block.

then one thing that i noticed is- firewall traffic is coming via VTI interface while tunnel traffic is normal outbound interface of the firewall

Any advice can i fix this issue?

Also any step by step guide for building such route based VPN tunnel with AWS?

your support is much appreciated!

Re: issue on route based vpn tunnel with checkpoint VSX and AWS

PhoneBoy — Thu, 23 Mar 2023 21:25:03 GMT

I presume you've followed the guide for setting up a VPN with Amazon VPC: https://support.checkpoint.com/results/sk/sk108958
Please show the full log card where the traffic is dropped (redact sensitive details).
Also provide version/JHF of your Check Point equipment.

I suspect some additional debugging will also illuminate the situation: https://support.checkpoint.com/results/sk/sk180488

Re: issue on route based vpn tunnel with checkpoint VSX and AWS

Chris_Atkinson — Fri, 24 Mar 2023 11:15:27 GMT

How did you configure the static route via SmartConsole or CLI?

That said as I recall R81 and above support VTI only with dynamic routing for VSX.

Re: issue on route based vpn tunnel with checkpoint VSX and AWS

kuber — Mon, 27 Mar 2023 10:53:54 GMT

static route conf i did via CLI via command i mentioned in my first post.

Re: issue on route based vpn tunnel with checkpoint VSX and AWS

Chris_Atkinson — Mon, 27 Mar 2023 11:19:08 GMT

Whilst I don't see it in your post above, this approach isn't supported on VSX.

Re: issue on route based vpn tunnel with checkpoint VSX and AWS

kuber — Mon, 27 Mar 2023 11:28:47 GMT

Hi Chris,

in high level steps, what i did

1- created virtual tunnel interface VTI - using this command -

vsx_provisioning_tool -o add interface vd vs1 vpn_tunnel numbered peer AWS_Peer local y.y.y.y remote x.x.x.x tunnel_id 10

2- Added static route for AWS VPC CIDR and gateway is z.z.z.z

3- created Mesh Community in checkpoint firewall with "Blank Domain Encryption"

4- then Created ACL in firewall with VPN domain in the rule.

After completing these steps, i asked remoted end part at AWS side to initiate the traffic then

1- both side can be seen UP.

2- But traffic is is getting block on firewall with No Reason For Block

Re: issue on route based vpn tunnel with checkpoint VSX and AWS

Chris_Atkinson — Mon, 27 Mar 2023 11:36:00 GMT

This (step 2) doesn't show / detail the exact command used for the static route but in VSX this shouldn't be done via CLI unless it is dynamic routing.

Re: issue on route based vpn tunnel with checkpoint VSX and AWS

kuber — Mon, 27 Mar 2023 11:37:02 GMT

i used this command where i replace the x and y by IP addresses.

vsx_provisioning_tool -o add interface vd vs1 vpn_tunnel numbered peer AWS_Peer local y.y.y.y remote x.x.x.x tunnel_id 10

Re: issue on route based vpn tunnel with checkpoint VSX and AWS

Chris_Atkinson — Mon, 27 Mar 2023 11:39:29 GMT

That is not creating the static route but the VTI interface.

Regardless as stated above dynamic routing is needed for this to be successful.

Re: issue on route based vpn tunnel with checkpoint VSX and AWS

kuber — Mon, 27 Mar 2023 11:52:21 GMT

yes, sorry, VTI..static route i added through smart console. where destination is VPC and gateway is what mentioned in the configuration file received from aws side

Re: issue on route based vpn tunnel with checkpoint VSX and AWS

Chris_Atkinson — Mon, 27 Mar 2023 12:10:14 GMT

Per sk79700 before R81, VTI on VSX wasn't supported.

Configure Dynamic Routing VPN through Virtual Tunnel Interface (VTI) in VSX.

Source: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RN/Topics-RN/Whats-New.htm

Re: issue on route based vpn tunnel with checkpoint VSX and AWS

kuber — Mon, 03 Apr 2023 10:55:09 GMT

this solution is not workable, we are using r81.10, VTI can be configured.

the problem is , traffic is passing from the configured VTI and getting block, not sure why not being accepted by firewall ACL since tunnel is showing up.

could anyone help here who has built only this type tunnel,

AWS to CP VSX gateway with routing based using VTI, blank encryption domain, and Mesh topology.

Re: issue on route based vpn tunnel with checkpoint VSX and AWS

Chris_Atkinson — Mon, 03 Apr 2023 11:18:07 GMT

Yes VTI can be configured here but it needs dynamic routing (BGP) to work on VSX.

If you've done this (not using static routes) and the issue persists please consult with TAC for troubleshooting assistance.