topic Re: NAT-T through VPN tunnel in Firewall and Security Management

NAT-T through VPN tunnel

Scott_Paisley — Wed, 05 Jun 2024 13:05:25 GMT

We have a site-to-site checkpoint VPN

We are using VMWARE HCX to migrate some workloads through that tunnel. HCX uses NAT-T to build a VPN tunnel using whatever transport is available, which in this case happens to be a checkpoint VPN tunnel, so we are tunneling NAT-T through a checkpoint VPN tunnel.

This has been working for months.

On Friday it broke after we installed the CVE patch and rebooted all the gateways.

Here is the log message "Failure preparing tunnel creation, internal error"

We opened a ticket with TAC on Friday and spoke to an engineer who said they had seen this once before, but it was fixed by an unrelated hotfix.

On a call today with a different engineer, they said "NAT-T through a Checkpoint VPN tunnel is not supported"

I don't believe this to be true.

Is anybody else running HCX over a checkpoint VPN (or any other NAT-T traffic)?

Anybody else seen this error and know the fix?

Thanks

Re: NAT-T through VPN tunnel

the_rock — Wed, 05 Jun 2024 13:18:11 GMT

On a call today with a different engineer, they said "NAT-T through a Checkpoint VPN tunnel is not supported"

I agree with you, Im 100% positive that is NOT true.

Is it failing on phase 1 or 2?

Andy

Re: NAT-T through VPN tunnel

Scott_Paisley — Wed, 05 Jun 2024 13:19:46 GMT

the checkpoint is dropping the packets so it never gets as far as phase 1

Re: NAT-T through VPN tunnel

the_rock — Wed, 05 Jun 2024 13:24:38 GMT

Maybe this?

https://support.checkpoint.com/results/sk/sk170141

Re: NAT-T through VPN tunnel

Scott_Paisley — Wed, 05 Jun 2024 13:28:29 GMT

we have looked at that, but in this case default route is the route that should be used

we have just tried a different tunnel to a different site and it seems to be working so I guess it is supported after all

Re: NAT-T through VPN tunnel

the_rock — Wed, 05 Jun 2024 14:06:14 GMT

100% supported, it always has been. Btw, just wondering...does it make any difference if tunnel is reset from both ends? Whats the other side?

Andy

Re: NAT-T through VPN tunnel

Scott_Paisley — Wed, 05 Jun 2024 14:16:12 GMT

The broken tunnel is VMWARE HCX on both ends. This was working fine for weeks. We rebooted the checkpoint gateways and it stopped working. I beleieve the HCX tunnel was reset, but that is managed by a different team. We just built a new HCX mesh over the same checkpoint tunnel as the broken one, and it seems to be working. The strange thing is the checkpoint is definitely dropping traffic for the broken mesh, and passing traffic for the working mesh. Maybe something in the packet is messed up.

Re: NAT-T through VPN tunnel

the_rock — Wed, 05 Jun 2024 14:29:35 GMT

Can you do basic VPN debug and attach iked and vpnd files?

Andy

vpn debug trunc

vpn debug ikeon

-generate some traffic

vpn debug ikeoff

look for iked and vpnd files in $FWDIR/log dir

Re: NAT-T through VPN tunnel

Scott_Paisley — Wed, 05 Jun 2024 14:31:53 GMT

the checkpoint tunnels are up and always have been. we don't have any diagnostics from HCX. Anyway, it now seems it does work, apart from the original mesh.

Re: NAT-T through VPN tunnel

the_rock — Wed, 05 Jun 2024 14:34:47 GMT

I would say if it can be reset from that side, it may help.