https://community.checkpoint.com/t5/General-Topics/Manual-NAT-inside-a-VPN-IPsec-Tunnel/m-p/10440#M1488 <HTML><HEAD></HEAD><BODY><P>Hello guys,</P><P></P><P>I setup up a IPsec tunnel between checkpoint and a 3rd party VPN. Everything works fine without any problem.</P><P></P><P>The question is that when I connect one router (R1) to the gateway(R77.30) and put one PC(WS2012R2-4) behind the router the tunnel not worked as expected.</P><P><IMG __jive_id="79808" alt="" class="j-img-centered image-4 jive-image" height="328" src="/legacyfs/online/checkpoint/79808_Screenshot from 2019-03-05 21-42-54.png" style="display: block; margin-left: auto; margin-right: auto;" width="337" /></P><P></P><P>Behind the router I have the network 10.1.1.0/24 and I do some NAT manipulation on the gateway, like that:</P><P><IMG __jive_id="79804" alt="" class="image-1 jive-image j-img-original" src="/legacyfs/online/checkpoint/79804_Screenshot from 2019-03-05 21-19-23.png" /></P><P><BR />I want to manipulate the traffic coming from the PC 10.1.1.10 to appear in the tunnel on the other side with the Source 172.16.3.20.</P><P></P><P>I setup my firewall rule to work with the VPN Community, like that:</P><P><IMG __jive_id="79805" alt="" class="image-2 jive-image j-img-original" src="/legacyfs/online/checkpoint/79805_Screenshot from 2019-03-05 21-27-30.png" /></P><P></P><P>The VPN Domains in both sides are the Networks: 172.16.3.0/24(Checkpoint) and 172.16.1.0/24(Fortinet).</P><P></P><P>The problem is that host 10.1.1.10 cannot fire up the tunnel and all other hosts on the network 172.16.3.0/24 can setup the tunnel. I don't have the NAT disabled on the Community and the gateway and router have routes setting up for routing purposes, I don't think this is a routing issue.</P><P></P><P>I captured traffic with the wireshark from the outside interface eth0 (See the topology above), and I forced traffic through the tunnel with the PC 10.1.1.10, but nothing happened, please see below the packets:</P><P><IMG __jive_id="79809" alt="" class="image-5 jive-image j-img-original" src="/legacyfs/online/checkpoint/79809_Screenshot from 2019-03-05 21-56-05.png" /></P><P>Source NAT works fine, but I cannot setup the tunnel, why this happen?</P><P></P><P>What am I doing wrong? What is left to do?</P><P></P><P>Thanks in advanced</P></BODY></HTML> Tue, 05 Mar 2019 21:59:42 GMT Luis_Filipe 2019-03-05T21:59:42Z https://community.checkpoint.com/t5/General-Topics/Manual-NAT-inside-a-VPN-IPsec-Tunnel/m-p/10440#M1488 <HTML><HEAD></HEAD><BODY><P>Hello guys,</P><P></P><P>I setup up a IPsec tunnel between checkpoint and a 3rd party VPN. Everything works fine without any problem.</P><P></P><P>The question is that when I connect one router (R1) to the gateway(R77.30) and put one PC(WS2012R2-4) behind the router the tunnel not worked as expected.</P><P><IMG __jive_id="79808" alt="" class="j-img-centered image-4 jive-image" height="328" src="/legacyfs/online/checkpoint/79808_Screenshot from 2019-03-05 21-42-54.png" style="display: block; margin-left: auto; margin-right: auto;" width="337" /></P><P></P><P>Behind the router I have the network 10.1.1.0/24 and I do some NAT manipulation on the gateway, like that:</P><P><IMG __jive_id="79804" alt="" class="image-1 jive-image j-img-original" src="/legacyfs/online/checkpoint/79804_Screenshot from 2019-03-05 21-19-23.png" /></P><P><BR />I want to manipulate the traffic coming from the PC 10.1.1.10 to appear in the tunnel on the other side with the Source 172.16.3.20.</P><P></P><P>I setup my firewall rule to work with the VPN Community, like that:</P><P><IMG __jive_id="79805" alt="" class="image-2 jive-image j-img-original" src="/legacyfs/online/checkpoint/79805_Screenshot from 2019-03-05 21-27-30.png" /></P><P></P><P>The VPN Domains in both sides are the Networks: 172.16.3.0/24(Checkpoint) and 172.16.1.0/24(Fortinet).</P><P></P><P>The problem is that host 10.1.1.10 cannot fire up the tunnel and all other hosts on the network 172.16.3.0/24 can setup the tunnel. I don't have the NAT disabled on the Community and the gateway and router have routes setting up for routing purposes, I don't think this is a routing issue.</P><P></P><P>I captured traffic with the wireshark from the outside interface eth0 (See the topology above), and I forced traffic through the tunnel with the PC 10.1.1.10, but nothing happened, please see below the packets:</P><P><IMG __jive_id="79809" alt="" class="image-5 jive-image j-img-original" src="/legacyfs/online/checkpoint/79809_Screenshot from 2019-03-05 21-56-05.png" /></P><P>Source NAT works fine, but I cannot setup the tunnel, why this happen?</P><P></P><P>What am I doing wrong? What is left to do?</P><P></P><P>Thanks in advanced</P></BODY></HTML> Tue, 05 Mar 2019 21:59:42 GMT https://community.checkpoint.com/t5/General-Topics/Manual-NAT-inside-a-VPN-IPsec-Tunnel/m-p/10440#M1488 Luis_Filipe 2019-03-05T21:59:42Z https://community.checkpoint.com/t5/General-Topics/Manual-NAT-inside-a-VPN-IPsec-Tunnel/m-p/10441#M1489 <HTML><HEAD></HEAD><BODY><P>Try using Dead Peer Detection. It should keep the tunnel up.</P><P><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108600&amp;partition=Advanced&amp;product=IPSec" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108600&amp;partition=Advanced&amp;product=IPSec">VPN Site-to-Site with 3rd party</A>&nbsp;Scenario 5.</P></BODY></HTML> Tue, 05 Mar 2019 22:45:45 GMT https://community.checkpoint.com/t5/General-Topics/Manual-NAT-inside-a-VPN-IPsec-Tunnel/m-p/10441#M1489 Vladimir 2019-03-05T22:45:45Z https://community.checkpoint.com/t5/General-Topics/Manual-NAT-inside-a-VPN-IPsec-Tunnel/m-p/10442#M1490 <HTML><HEAD></HEAD><BODY><P>Hello Luis,</P><P></P><P>as I understand your traffic capture is from eth0 and this is the external interface of your firewall.</P><P>If you did the capture with tcpdump&nbsp;you should never see the NATed packet on eth0, the packet should be decrypt.</P><P></P><P>You should add net 10.1.1.0/24 or the one host 10.1.1.10 to your local encryption domain on the CheckPoint gateway.</P><P>And in the rulebase you too need to allow this net to pass th VPN.</P><P></P><P>Wolfgang</P></BODY></HTML> Wed, 06 Mar 2019 08:03:34 GMT https://community.checkpoint.com/t5/General-Topics/Manual-NAT-inside-a-VPN-IPsec-Tunnel/m-p/10442#M1490 Wolfgang 2019-03-06T08:03:34Z https://community.checkpoint.com/t5/General-Topics/Manual-NAT-inside-a-VPN-IPsec-Tunnel/m-p/10443#M1491 <HTML><HEAD></HEAD><BODY><P>I see that you have ARP traffic from 10. network on your external Check Point interface's packet capture.</P><P>If you are building this environment in GNS, beware:) some weirdness is expected.</P></BODY></HTML> Wed, 06 Mar 2019 22:57:33 GMT https://community.checkpoint.com/t5/General-Topics/Manual-NAT-inside-a-VPN-IPsec-Tunnel/m-p/10443#M1491 Vladimir 2019-03-06T22:57:33Z