topic Re: NAT46 for IPv6 Tunnel in General Topics

NAT46 for IPv6 Tunnel

StefanBauer — Tue, 10 Oct 2023 19:48:34 GMT

Hey guys,

we use R81.10. We have already establised a IPv6 tunnel between two Gaia gateways, because we have only a public IPv6 address on our 5G contract available.

Basically it works fine with the tunnel, when we use IPv6 for communication. The bad thing is, that Check Point does not support IPv4 in IPv6 tunnels. That makes it nearly useless, because we have a lot applications who are not IPv6 ready - unfortunately.

We tried to translate the IPv4 addresses in IPv6, that we can pass the tunnel. On the peer gateway we nat the addresses from IPv6 in IPv4 addresses back. That would make IPv6 transparent for the client/server communication.

Client (v4/v6) -->| fw1 (v6) | ==(v6 Tunnel)== | fw2 (NAT64)| ---> Server (v4)

Nat46 and Nat64 works fine. On the fw1 Nat46 will executed, but the packets are not entering the tunnel. Is there a solution to prior the Nat rules before the VPN rules (Policy)? NAT66 works fine in the tunnel, but the destination IPv6 is already included in the Encryption Domain.

Thanks in advance,

Best regards,

Stefan

Re: NAT46 for IPv6 Tunnel

PhoneBoy — Tue, 10 Oct 2023 21:07:15 GMT

Did you happen to include in your IPv6 Encryption Domain the IPv6 version of your IPv4 addresses?

Re: NAT46 for IPv6 Tunnel

StefanBauer — Wed, 11 Oct 2023 05:47:06 GMT

Hi PhoneBoy,

thanks for the fast response. Yes, the IPv6 addresses are in included in the Encryption Domain. Do you have still any other idea?

Destination IPv4 - 192.168.1.105 (is only in normal Access Rule)

Destination IPv6 (NAT46) - 2003:cf:825:210::105 (is inlcuded in the Endryption Domain)

If i try to connect to the IPv6 address it works fine over the IPv6 tunnel.

Re: NAT46 for IPv6 Tunnel

PhoneBoy — Wed, 11 Oct 2023 13:28:30 GMT

I'm not talking about the destination encryption domain, I'm talking about the source encryption domain.
Is the result of the NAT46 translation included in the source encryption domain?

Re: NAT46 for IPv6 Tunnel

StefanBauer — Wed, 11 Oct 2023 14:27:56 GMT

Yes, the "Xlate (NAT)" source IP address is also in the source encryption domain.

Re: NAT46 for IPv6 Tunnel

PhoneBoy — Wed, 11 Oct 2023 20:52:52 GMT

Is this a domain-based VPN or a route-based VPN?
Possible that might work with a route-based VPN, but I suspect this is unsupported.
I would open a TAC case to get confirmation: https://help.checkpoint.com

Re: NAT46 for IPv6 Tunnel

StefanBauer — Fri, 13 Oct 2023 18:08:23 GMT

TAC response:

I suspect that it may work with Route based VPN(VTI) but it is currently not supported per sk163313.
https://support.checkpoint.com/results/sk/sk163313

Re: NAT46 for IPv6 Tunnel

PhoneBoy — Fri, 13 Oct 2023 20:19:52 GMT

That SK doesn't really say it's not supported...but it doesn't say it is, either.
However, trying Route-Based VPNs (if possible) seems like the only possibility.