topic Re: IPSec VPN between CheckPoint and Prisma Access in General Topics

IPSec VPN between CheckPoint and Prisma Access

shauls — Mon, 30 Dec 2024 12:41:24 GMT

Hey guys,

I was asked to make a test in which I will route all internet traffic from specific subnet (for example 10.10.10.0/24) to Prisma Access.

I configured the necessary part in Prisma Access Remote Networks IPSec VPN, but what are my options in order to this in checkpoint?

I was thinking to make a VPN community in which the VPN Domain will be 0.0.0.0/0, with excluding RFC1918 addresses and CGNAT address.

Is it even possible? Are there other options?

Re: IPSec VPN between CheckPoint and Prisma Access

shauls — Mon, 30 Dec 2024 14:10:41 GMT

I am thinking that maybe Route Based VPN with PBR will be more appropriate solution, but I am not sure how to implement it.

In VTI configuration, what do I configure as remote peer ip address and local ip address? I only have Prisma Access Public IP.

Re: IPSec VPN between CheckPoint and Prisma Access

the_rock — Mon, 30 Dec 2024 14:41:08 GMT

See if below post I made about a year ago helps. I know its Azure, but would be very similar. I know Prisma is Palo Alto, if Im not mistaken. I only seen it once myself, apologies, but not familiar with it at all. But, to answer your question about route based, yes, you can follow documents I have in the link, hope it makes sense.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExTTjlYV1FXMUlGQVNMfDIwNjE3OXxTVUJTQ1JJUFRJT05TfGhL#M38950

Re: IPSec VPN between CheckPoint and Prisma Access

shauls — Mon, 30 Dec 2024 14:47:57 GMT

I understand that I could just "gibberish" the VTI numbered addresses, is this correct?

Re: IPSec VPN between CheckPoint and Prisma Access

the_rock — Mon, 30 Dec 2024 14:55:49 GMT

Thats right. See below from another post while back example I gave. Message me directly if you need further explanation.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-failover-issue/m-p/155553#M26519

Re: IPSec VPN between CheckPoint and Prisma Access

the_rock — Tue, 31 Dec 2024 17:51:36 GMT

Hey @shauls , were you able to figure this out?

Andy

Re: IPSec VPN between CheckPoint and Prisma Access

shauls — Mon, 06 Jan 2025 11:33:31 GMT

I am still not sure about the "Numbered Remote Address" field. I understand that I could come up with any unique IP address for the numbered local address, but what about the remote address? I don't have such address provided to me by Prisma, unlike the AWS example.

Re: IPSec VPN between CheckPoint and Prisma Access

the_rock — Mon, 06 Jan 2025 11:34:47 GMT

Does not really matter, as long as its not used on their end.

Andy

Re: IPSec VPN between CheckPoint and Prisma Access

shauls — Thu, 09 Jan 2025 07:02:20 GMT

IT IS working. I used your text guide along with the AWS guide. I also configured PBR instead of static route.

There is only one thing that is very strange.. in Tunnel Monitoring I see the the tunnel is down, but on the Prisma side it is up and everything is working as expected.

Re: IPSec VPN between CheckPoint and Prisma Access

shauls — Thu, 09 Jan 2025 07:11:01 GMT

Never mind, I see that I configured the "permanent tunnels" option but it should only work between checkpoint gateways. I disabled it and now I see that the tunnel is up. Thanks for the help!

Re: IPSec VPN between CheckPoint and Prisma Access

the_rock — Thu, 09 Jan 2025 12:05:48 GMT

I always more rely on vpn tu or vpn tu tlist.

Andy

Re: IPSec VPN between CheckPoint and Prisma Access

koendsp — Thu, 03 Apr 2025 14:35:57 GMT

Hey @shauls I have the same issue. We are setting up a VPN tunnel with Palo Alto Prisma Access on VSX level. Only limitation on VSX is that we have to use numbered VPN since the unnumbered is not supported.

What did you do configure as LOCAL and REMOTE IP?
The local can be whatever you choose? Does it need to be a L3 interface on the FW? Or can it?

For the remote IP, does it need to come from the same subnet?
I see that @the_rock tells us that it doesn't matter? If we route for example 10.1.1.0/24 behind this VPN, the remote IP can't be from this range right?

I also see that Palo Alto can't specify a local and remote address. So at PA side, it's not used?

Re: IPSec VPN between CheckPoint and Prisma Access

the_rock — Thu, 03 Apr 2025 14:34:11 GMT

Thats right @koendsp

Re: IPSec VPN between CheckPoint and Prisma Access

koendsp — Thu, 03 Apr 2025 14:50:49 GMT

Thanks @the_rock

If you please allow me to summarize/question so I get it 100% correct:

- The Local IP can be a L3 interface on the VSX Virtual FW. Yes, but not needed you can choose another as long as it's routed/ No, it can't be a layer 3 interface.
- The local IP cannot be the PUBLIC IP that I use to setup my PHASE1. YES/NO
- The Remote IP at Palo Alto Side can be whatever, as long as it's not in the VPN domain at PA side. For example if we want to reach 10.1.1.0/24 at PA, we can't have a remote IP in this range? YES/NO

Thanks a lot!
Koen

Re: IPSec VPN between CheckPoint and Prisma Access

the_rock — Thu, 03 Apr 2025 15:12:36 GMT

Yes to all, but last one, it would supernet, so they better be different, otherwise, certain modifications are needed or nat.

Andy

Re: IPSec VPN between CheckPoint and Prisma Access

koendsp — Thu, 03 Apr 2025 15:31:04 GMT

Thanks for the help! Very much appreciated! 🙂

Re: IPSec VPN between CheckPoint and Prisma Access

the_rock — Thu, 03 Apr 2025 15:34:29 GMT

No problem. FYI, IF supernet happens, make sure below values in Guidbedit are set to FALSE.

Andy

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

Re: IPSec VPN between CheckPoint and Prisma Access

koendsp — Mon, 07 Apr 2025 10:42:20 GMT

Thanks. We have a /22 routed/used at Palo Alto side.
Could this be the reason that that we have Phase1 up but Phase 2 is having issues?

In SmartView Monitor we see the state as 'Up'.
In the 'FW monitor' on VSX we can see that we have Outgoing Encrypted packets, but we don't see them arriving at Palo Alto side.

I'm also wondering what we have to set at VPN Tunneling Sharing.
One tunnel per each pair of hots, subnet or gateway pair?

Re: IPSec VPN between CheckPoint and Prisma Access

the_rock — Mon, 07 Apr 2025 10:56:35 GMT

Definitely could be. Thats why I would make sure those guidbedit values are set to FALSE.

Btw, you set per gateway if its route based tunnel or if vpn domain is combo of hosts/subnets.

Andy