topic Re: Question about vpn/ipsec on external interface with private addresses in General Topics

Question about vpn/ipsec on external interface with private addresses

elapuente — Wed, 03 Jun 2020 15:29:24 GMT

Hello everyone!!!

We ask for the community help for solving the following configuration.

First of all, we have an ISP cluster of routers and a Checkpoint cluster. It's a very simple configuration. There is a /29 public IPs that the ISP routes to checkpoint.

ISP routers and Checkpoint are connected via a routing network, with private address (10.100.250.0/24).

So, 10.100.250.1,2,3 are the IPs on routers side, and 10.100.250.252,253,254 are the checkpoint cluster addresses. The ISP routes the public range to ip 10.100.250.254 (checkpoint virtual ip).

There is no public address on the checkpoint cluster. We have some services published with some NAT rules.

But, we want to enable the Mobile portal, and be able to create site-to-site IPSec tunnel.

The problem we have is that we cannot make "https://<publicip>/sslvpn" URL work, because there is no public ip on the Checkpoint. We cannot make NAT 1-to-1 for the firewall itself. We tried with Proxy ARP, with no success. It worked with an interface alias on one of the checkpoint, but it's not supported with ClusterXL (and cannot add another virtual ip on the external interface).

There is two possible solutions (changing interconnect network):

- 3 public ips on checkpoint cluster external interfaces and 3 public ips on router cluster

- 1 public ips on checkpoint cluster external interfaces and 3 public ips on router cluster (sk32073)

But we only have 6 public IPs, and don't want to wasted on the routing network.

is there anyone with a similar configuration?

Thank you in advance for the help!!

Best regards,

Re: Question about vpn/ipsec on external interface with private addresses

Wolfgang — Wed, 03 Jun 2020 17:51:04 GMT

@elapuente

add a new dummy clusterinterface.
You can use private IPs for the cluster members IP addresses and use one of the public IPs with /32 as virtual cluster IP. You don't need to add any routes. No traffic will be leaving this interface, but the local services are listen on this IP.
Wolfgang

Re: Question about vpn/ipsec on external interface with private addresses

elapuente — Thu, 04 Jun 2020 10:16:15 GMT

Thank you @Wolfgang , it make sense

What do you mean with a dummy cluster interface? a unused VLAN interface for example?

Best regards

Re: Question about vpn/ipsec on external interface with private addresses

Wolfgang — Thu, 04 Jun 2020 10:45:32 GMT

Yes @elapuente ,

we did this with a new VLAN interface. There is no need to use a physical interface.

You need an interface defined on the cluster with one of the public IPs.

Wolfgang

Re: Question about vpn/ipsec on external interface with private addresses

AnujPratap — Fri, 25 Jun 2021 10:51:37 GMT

Hi Wolfgang,

We have a similar setup. but doesn't have VLAN interface on firewall external interface. So can we define Public IP on Cluster IP and Gateway nodes remain as "none". Will that work?

-> CP External Int connected to Internet Router

-> But we don't have any VLAN interface on CP External Int firewall.

VPN Gateway -------> Internet-----> Internet Router -----> Checkpoint FW / VPN

Re: Question about vpn/ipsec on external interface with private addresses

Wolfgang — Fri, 25 Jun 2021 12:25:52 GMT

Yes, it's possible to set private IPs for your clusternodes in the same subnet and the virtual cluster IP defined as public IP. But with this setup it's not possible to manage your cluster from the external site.

Re: Question about vpn/ipsec on external interface with private addresses

AnujPratap — Fri, 25 Jun 2021 15:01:26 GMT

Thanks Wolfgang for your prompt response.

One more query, if you don't mind.

Do we need to do physical cabling with Clusternodes interfaces?
or
we can just configure them with the Private IP and Public IP on Cluster-VIP.

Re: Question about vpn/ipsec on external interface with private addresses

Wolfgang — Fri, 25 Jun 2021 19:50:00 GMT

@AnujPratap

I‘m not sure understanding your question.

You have to connect the physical interfaces on both nodes via a switch or direct cable to get in up state and get your cluster VIP up.

Was this your question ore something different?