topic Re: Publishing an Internet service accessible through a site-to-site VPN in General Topics

Publishing an Internet service accessible through a site-to-site VPN

Vanesa_Benito_O — Sun, 09 Jun 2024 13:10:01 GMT

Hello everybody

I'm writing this post in the hope that someone has experienced the same issue. I'm trying to publish a service on the internet; the service is behind a site-to-site VPN that connects two Check Point clusters. The issue is that the request reaches the device, performs the destination NAT correctly, but the traffic is not being sent through the VPN.

In the following schema could understand better the connection that i need to realize. The external ip is static.

Based on this, i create the following in the Internet Firewall.

1. A Rule that allows communication between External IP and Public IP.

2. A NAT rule that converts the Public IP into Internal IP address.

3. In the VPN community (Both firewalls are check point managed by the same smart-1), i add the External IP address in the local domain of internet firewall.

4. And finally I have installed policy in the both firewalls, but the traffic doesnt go trough the VPN, that is currently working with other internal connections.

I have tried to perform a FW monitor and I only see the i packet, but in the smart monitor appears the initial connection from External IP to Public IP and the NATed Destination (Internal IP)

I think the issue is the internet firewall doesnt identify this traffic as VPN traffic

I dont know if i am making any mistake... any ideas?

Thank you in advance!

Re: Publishing an Internet service accessible through a site-to-site VPN

the_rock — Sun, 09 Jun 2024 13:29:25 GMT

Did you make sure encryption domains are correct?

Andy

Re: Publishing an Internet service accessible through a site-to-site VPN

Vanesa_Benito_O — Sun, 09 Jun 2024 15:11:40 GMT

Yes, the VPN works correctly, I just have added the external IP in the VPN range of internet firewall with the objetive the firewall send this traffic through VPN but without successful.

The rest of connections in the same VPN works correctly 😞

Re: Publishing an Internet service accessible through a site-to-site VPN

the_rock — Sun, 09 Jun 2024 15:27:27 GMT

Can you send the log of the traffic you are referring to? Just blur out any sensitive data.

Also, see if any of below cases may apply, as I have a gut feeling they might...specially case 3

Andy

https://support.checkpoint.com/results/sk/sk108600

Re: Publishing an Internet service accessible through a site-to-site VPN

PhoneBoy — Mon, 10 Jun 2024 14:52:55 GMT

In a domain-based VPN, the decision to encrypt is based on the source IP being included in the Encryption Domain.
Since I assume you have not included the entirety of the Internet in your encryption domain for this "Internet Gateway," it will not choose to encrypt the traffic to this external IP.
This is, therefore, expected behavior.

A route-based VPN would probably be a better use case for this.

Re: Publishing an Internet service accessible through a site-to-site VPN

Vanesa_Benito_O — Mon, 10 Jun 2024 15:00:28 GMT

Hi, The external ip is always the same, i dont include the entirety of internet but I include that external IP, so the traffic should be routed trought the VPN...

Re: Publishing an Internet service accessible through a site-to-site VPN

the_rock — Mon, 10 Jun 2024 15:02:04 GMT

I see what Phoneboy is saying about route based VPN, makes sense to me. I checked this for few customer we did this for and works perfectly.

Andy

Re: Publishing an Internet service accessible through a site-to-site VPN

PhoneBoy — Mon, 10 Jun 2024 18:21:07 GMT

I thought people were connecting to an external IP that was translated to an internal IP.
Instead, it's a specific external IP that's connecting to an internal IP (via NAT)...got it.

If I recall correctly, we do not include host objects in the calculation for Encryption Domain.
Instead of creating a host object, try creating a Network object (with a /32 subnet mask) and use that in the Encryption Domain instead.

Re: Publishing an Internet service accessible through a site-to-site VPN

Vanesa_Benito_O — Mon, 10 Jun 2024 20:14:39 GMT

Yes, I know, but this VPN is part of a star community, and change this vpn mode have a high impact. If its possible i would like to solve it using the actual VPN community.

Re: Publishing an Internet service accessible through a site-to-site VPN

Vanesa_Benito_O — Mon, 10 Jun 2024 20:34:45 GMT

I havent heared about it, but I have tried and still not working :(.

Its any way to check the negotiated SA, not the ID... I want to check somehow if the external ip added in the encyption domain is really included.

Re: Publishing an Internet service accessible through a site-to-site VPN

the_rock — Mon, 10 Jun 2024 22:07:28 GMT

You can do vpn tu list ike or vpn tu list ipsec (just type vpn tu lis (wrong spelling), but it will give all the options)

Did you verify 100% that IP is indeed included in the enc domain?

Andy

Re: Publishing an Internet service accessible through a site-to-site VPN

PhoneBoy — Mon, 10 Jun 2024 22:17:14 GMT

Probably best to debug: https://support.checkpoint.com/results/sk/sk180488