topic VTI tunnel not working in Firewall and Security Management

VTI tunnel not working

PankajTiwari1 — Tue, 27 Jun 2023 04:40:04 GMT

I have two firewall. one is 6200 and other 1500 SMB appliance. I have created a VTI tunnel but the tunnel is not working.

I have created simple group for vpn domain. But on SMB it can't fetch topology properly as you can see in image I have attached.

why it can't fetch the VPN reomte peer ip address?

Re: VTI tunnel not working

PhoneBoy — Tue, 27 Jun 2023 20:12:58 GMT

What is the 6200 running (Version/JHF)?
What firmware is the 1500 running?
Are both of these gateways managed by the same management? (If so, what version/JHF is managing it)
You created a VTI tunnel: following what instructions, exactly?
"I have created simple group for VPN domain" ok, but where was this configured?
"Tunnel is not working"

How did you attempt to test it?
How did you determine it "failed"?

Please provide precise troubleshooting steps taken with errors provided.

It's not clear to me if Fetch Topology should fetch the "remote IP" for the VTI peer.
You should enter that manually if it is not being fetched.
If you want to "fix" Fetch Topology, I recommend a TAC case: https://help.checkpoint.com

Re: VTI tunnel not working

PankajTiwari1 — Wed, 28 Jun 2023 04:53:08 GMT

the 6200 series running version is R81.10 JHF 95 and 1500 series version is R81.10.05.

Both gateways are managed by separate management server. Both have running version is R81.20 JHF 10.

And 6200 series appliance are in cluster.

VTI interface topology.........

I created VTI 18. For cluster I assigned IP address.... VIP- 169.254.180.15, GW1- 169.254.180.11, GW2- 169.254.180.9

For SMB 1500 series VTI IP is 169.254.180.10

For testing purposes I run the command VPN TU TLIST and it shows NO outbound SA error.

I can't enter manually maybe it fetch automatically from the firewall.

Re: VTI tunnel not working

SSlater — Wed, 28 Jun 2023 23:16:29 GMT

I don't think that a TAC case is warranted for first time implementations. --- Account Managers, and Sales Engineers on your team should be able to assist, or connect you with PS for assistance.

A few points I noticed:

- Your interfaces are set to DHCP Ranges? They should be routable.

- If the SMB Device doesn't have a static IP, ensure you have some kind of DynDNS so that we can reach it reliably, otherwise tunnel will only be reliably initiated from SMB side.

- If you've followed all the steps outlined in the Admin Guide, make sure you have routes set up.. VTI's are not community based, and will require the traffic to be actually routed out that interface.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/VPN-Tunnel-Interfaces.htm

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_AdminGuide/Topics-GAG/IPv4-Static-Routes.htm?tocpath=Network%20Management%7CIPv4%20Static%20Routes%7C_____0

Re: VTI tunnel not working

PankajTiwari1 — Fri, 30 Jun 2023 05:38:56 GMT

Thanks for your support. the issue is resolved.

Re: VTI tunnel not working

PhoneBoy — Fri, 30 Jun 2023 20:31:00 GMT

How did you resolve the issue?

Re: VTI tunnel not working

PankajTiwari1 — Mon, 03 Jul 2023 05:32:33 GMT

I'm still not getting VPN peer IP address on topology page but tunnel is working.

On the VPN domain page I have All IP addresses behind Gateway to I have selected user defined. In which I have selected empty Group and then I published and install the policy and its working.

Re: VTI tunnel not working

PhoneBoy — Mon, 03 Jul 2023 19:45:35 GMT

An empty encryption domain is normal for route-based VPNs.

Re: VTI tunnel not working

PankajTiwari1 — Tue, 11 Jul 2023 09:31:31 GMT

I know that @PhoneBoy I have empty group in VPN communities on both sides but empty group is not defined on VPN domain. When I defined empty group in vpn domain and install the policy and it worked.