topic No ssh access to VPN peer outside IP in General Topics

No ssh access to VPN peer outside IP

Vlad_Voronko — Tue, 24 Apr 2018 13:51:38 GMT

While testing a site-to-site VPN tunnel between CP80.10 and Cisco ASA, I noticed that right after I had configured the IPSec peer on CP80.10, I was no longer able to ssh to 10.0.14.101 (ASA outside IP) to manage the device. Then I looked into the logs on CP and found out that CP80.10 is trying to encrypt packets destined to ASA outside IP address 10.0.14.101. I wasn't able to find any info about this issue. Is there any way how I can disable or turn off this behavior? Screenshot of the logs in the attachment. Thanks.

Re: No ssh access to VPN peer outside IP

Marco_Valenti — Tue, 24 Apr 2018 13:58:28 GMT

quick way to solve it ? use excluded service and add ssh there , definition ip of the remote peer is part of the remote enc domain

Re: No ssh access to VPN peer outside IP

Vlad_Voronko — Tue, 24 Apr 2018 14:11:53 GMT

Hi Marco,

I considered that option but I guess enabling it would prevent me from establishing an ssh session to the equipment residing behind the ASA (which only reachable over the VPN tunnel).

Re: No ssh access to VPN peer outside IP

Brandon_Pace — Tue, 24 Apr 2018 14:17:04 GMT

sk108600 Scenario 3 - Implied inclusion of Check Point Security Gateway's / 3rd party VPN Peer's interfaces

Re: No ssh access to VPN peer outside IP

G_W_Albrecht — Tue, 24 Apr 2018 14:18:16 GMT

I would suggest to consult sk25675 Customizing VPN Domain to exclude IP Address and allow clear text and sk108600 VPN Site-to-Site with 3rd party Scenario 3 !

Re: No ssh access to VPN peer outside IP

Vlad_Voronko — Tue, 24 Apr 2018 14:26:33 GMT

Günther and Brandon,

Thanks a lot I'll take a look into this.

Re: No ssh access to VPN peer outside IP

Vlad_Voronko — Tue, 24 Apr 2018 14:27:32 GMT

Brandon,

Thanks a lot I'll take a look into this.

Re: No ssh access to VPN peer outside IP

Kim_Moberg — Wed, 25 Apr 2018 04:57:18 GMT

Did you try to exclude ssh in the vpn community? And then push policy?

Of course if you need to use ssh on Remote encryption domain, that might be a challange.

Re: No ssh access to VPN peer outside IP

Gomboragchaa — Mon, 15 Mar 2021 08:40:39 GMT

Hi @G_W_Albrecht ,

What about on Scalable Platforms (Maestro). SMS is R80.40 and GW is R80.30SP.

I've tried to edit crypt.def file on Management and GW as well. But still no success.

Before I used to this SK and it works perfect and SMS, GW both were the same version..

Do you have any clue?

Re: No ssh access to VPN peer outside IP

G_W_Albrecht — Mon, 15 Mar 2021 09:41:08 GMT

Three hints:

- The "crypt.def" file has to be edited only on Security Management Server. The relevant code will be transferred to Security Gateway during policy installation. (sk98241)

- The "crypt.def" file has to be edited in plain-text editor (Vi on Unix-based OS ; Notepad/Notepad++ on Windows OS). (sk98241)

- R80.30SP should be included when $FWDIR/lib/crypt.def is edited and the policy installed. (sk98241)

If all these have been followed i would contact TAC !