topic Re: Remote Access VPN for multiple Firewalls managed by same mgmt server - unable to connect in General Topics

Remote Access VPN for multiple Firewalls managed by same mgmt server - unable to connect

Blason_R — Tue, 01 Oct 2024 17:04:18 GMT

Hi Team,

Can someone please help me with my scenario?

I have two firewalls one in US and other is in India.
Both the firewalls are being managed by same mgmt server which is in India.
US firewall is managed with Public IP address
Remote access VPNs are configured on both the firewalls having office mode pools for india is 172.16.10.0/24 and US is 172.16.8.0/24
There is a separate VPN device in place which has a tunnel configured with say location M, eventually both the locations need to reach 10.10.10.0/24
Now issue is even users working from home dial in US FW and India FW and they wanted to connect to servers from 10.10.10.0/24.
I did add 10.10.10.0/24 in encryption domain so that users when they login can access the servers.
However users when they connect to India firewall they are able to access the network without issue.

But if the same user connect to US firewalls, they get a IP address from 172.16.8.0 office mode pool but unable to ping. When I do tracert to 10.10.10.10 it still shows India firewall as first hop and it does not route it through US firewall.

I have enclosed my scenario, can someone please help me on this?

Re: Remote Access VPN for multiple Firewalls managed by same mgmt server - unable to connect

Blason_R — Tue, 01 Oct 2024 17:25:24 GMT

Is this achievable? I mean same destination can be connected from two different firewalls as a part of encryption domain?

Re: Remote Access VPN for multiple Firewalls managed by same mgmt server - unable to connect

AkosBakos — Tue, 01 Oct 2024 17:27:10 GMT

Hi @Blason_R

A hope I understood the situation. My first tip would be the Encrition domains.

Did you added the 10.10.10.0/24 to both remote access ENC_DOM (UK and India)?

Does SmartLog shows someting when the ping unsuccessful on US site?
Did you double check the Ruleset?
Are there any used based rule?

Akos

Re: Remote Access VPN for multiple Firewalls managed by same mgmt server - unable to connect

Blason_R — Tue, 01 Oct 2024 17:35:37 GMT

Yes it is added for sure and rules are added

Re: Remote Access VPN for multiple Firewalls managed by same mgmt server - unable to connect

AkosBakos — Tue, 01 Oct 2024 17:41:11 GMT

And there is no user based rules? I mean that somethin is limited in the Access Role object.

And Where is the 10.10.10.10 server located?

Re: Remote Access VPN for multiple Firewalls managed by same mgmt server - unable to connect

Blason_R — Tue, 01 Oct 2024 17:49:31 GMT

Rules are there for Remote Access vpn users. 10.10.10.10 are at remote location where site-site tunels are created from US and india location but not from checkpoint firewall. I have two routers at each locations and route is added on checkpoint i.e. 10.10.10.0/24 NH 192.168.10.2 for US Location and 192.168.20.2 for India lcoation. So that when user dials in they will be routed to router and to 10.10.10.0 network

Re: Remote Access VPN for multiple Firewalls managed by same mgmt server - unable to connect

AkosBakos — Tue, 01 Oct 2024 18:21:29 GMT

Interesting. Have you done a TCPdump on the US FW? Maybe you will see someting unusal.

Now I'm out of ideas.

Re: Remote Access VPN for multiple Firewalls managed by same mgmt server - unable to connect

JozkoMrkvicka — Tue, 01 Oct 2024 20:50:49 GMT

You have overlapping VPN encryption domain for US and India firewalls. If you want to have partially, or fully overlapping VPN encryption domain, you should use MEP feature.

Re: Remote Access VPN for multiple Firewalls managed by same mgmt server - unable to connect

Blason_R — Wed, 02 Oct 2024 04:53:53 GMT

Wondering MEP canbe configured for Remote access VPN?

Re: Remote Access VPN for multiple Firewalls managed by same mgmt server - unable to connect

PhoneBoy — Wed, 02 Oct 2024 15:08:13 GMT

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/Content/Topics-VPNRG/MEP.htm

Re: Remote Access VPN for multiple Firewalls managed by same mgmt server - unable to connect

Duane_Toler — Wed, 02 Oct 2024 16:29:57 GMT

You will need to use Encryption Domains Per Community, and possibly per-peer. You also need to have specific VPN domains for each gateway's Remote Access community. Like so:

The US gateway RA VPN domain, attached to RA community, needs to include the US site networks and the 10.10.10.0/24 network.
The IN gateway RA VPN domain, attached to RA community, needs to include the IN site networks and the 10.10.10.0/24 network.

The US-to-M site-to-site VPN domain needs to include the US RA-VPN pool and the US site networks.

The IN-to-M site-to-site VPN domain needs to include the IN RA-VPN pool and the IN site networks.

On the Site M router, the crypto ACL/VPN domain attached to the US peer, needs to include the US site and RA-VPN pool.

On the Site M route, the crypto ACL/VPN domain attached to the IN peer, needs to include the IN site and RA-VPN pool.

In the access rules, you need to be sure you have sufficient rules to allow traffic flowing in all directions. If you're not using access roles for your users, then you have extra rules to consider. For the "legacy user access" rules, which are only attached to the RemoteAccess community, your destination column needs to include the Site M network.

For the site-to-site VPN rules, your source column needs to include the IP pools of the two gateways, and the destination column include the Site M network. You also will need a converse rule.

When your client connects a gateway, for Windows run "netstat -r" to make sure the client has the correct routes installed for the 10.10.10.0/24 network. Now try your ping.

FYI: until the connections are working, using tracerotue to troubleshoot a VPN will be ambiguous at best; unreliable at worst. I would never rely on traceroute as a troubleshooting command, unfortunately. Your best troubleshooting is the route table on the client and the logs in SmartConsole or "fw monitor" on the gateway.

This configuration does work; I've done it plenty of times.

Re: Remote Access VPN for multiple Firewalls managed by same mgmt server - unable to connect

Blason_R — Wed, 02 Oct 2024 17:32:40 GMT

This is exactly it is configured and due to overlapping encryption domain traffic is not passing through other peer.

Re: Remote Access VPN for multiple Firewalls managed by same mgmt server - unable to connect

Duane_Toler — Wed, 02 Oct 2024 17:37:08 GMT

What is your overlapping encryption domain? I'm not seeing it on the diagram you posted.