topic Re: VPN Issue - Wrong IP in General Topics

VPN Issue - Wrong IP

biskit — Thu, 07 Feb 2019 16:56:50 GMT

Hi,

I have a gateway with several VPN's on. Some via the Internet, and some routed internally via MPLS lines. These all work fine. Now I'm trying to set up a new site-to-site VPN and it isn't working.

Here's what I'm trying to do:

So my peer IP is a DMZ interface - 12.12.12.178.

I'm VPNing to remote peer IP 192.168.145.10.

On the firewall I'm routing 192.168.145.0/24 via 12.12.12.224.

Firewall-A> show route destination 192.168.145.10
Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
U - Unreachable, i - Inactive
S 192.168.145.0/24 via 12.12.12.224, eth2.105, cost 0, age 279519

I have an existing VPN set up in the same way via a different DMZ interface and that works fine - although I'm reminded that we had exactly the same problem when setting that up, and I fixed it on my side. I just can't remember what I did to fix it, hence asking for help!

The problem is that the remote side is seeing me coming from the gateway's public "main IP" - shown as A.A.A.A on the diagram. In Ikeview I see IP's 192.168.145.10 and 12.12.12.178 in packets 1 to 5, then in packet 6 I'm sending my public A.A.A.A IP to the remote peer. I don't understand why?

On my gateway I've got VPN link selection set as follows, using the routing table, which is correct.

I can't really alter this otherwise existing VPN's will stop working.

Does anyone know what else I need to do to stop P1 Packet 6 sending my A.A.A.A IP instead of the correct 12.12.12.178 IP?

Thanks,

Matt

Re: VPN Issue - Wrong IP

Mark_Mitchell — Thu, 07 Feb 2019 18:58:05 GMT

Hi Matt,

I believe what you are seeing is that your gateway is sending it's Main IP as the Ike ID for the VPN tunnel and the peer not completing the process and essentially the tunnel not forming.

Do you know what the far end of the tunnel gateway is? I know on cisco ASA they can either turn off some strict checking of the Ike Id against the peer IP, or they can set the IKE to your main IP but have the peer IP as the IP that you desire.

For reference. IKE Main Mode negotiation fails with error "invalid id" when Check Point Security Gateway has ISP redundancy configured,…

Regards

Mark

Re: VPN Issue - Wrong IP

biskit — Thu, 07 Feb 2019 19:12:05 GMT

Thanks Mark Mitchell!

I found a similar solution at the same time... the last paragraph of Pg. 10 of http://dl3.checkpoint.com/paid/e8/How-To-Setup-a-site-to-site-VPN-tunnel-using-external-and-internal-NIC.pdf?HashKey=154…

The remote side allowed IKE from our public IP too, and the tunnel came straight up

Cheers,

Matt

Re: VPN Issue - Wrong IP

Mark_Mitchell — Thu, 07 Feb 2019 19:28:25 GMT

No worries Matt. Glad you got it sorted.

Regards

Mark

Re: VPN Issue - Wrong IP

David_C1 — Wed, 18 Sep 2019 18:17:59 GMT

We are about to configure something very similar -- we currently have many VPNs via the external interface of the gateway, and we are adding one which will go over an internal interface. The .pdf linked is rather old and only lists R65 - R75 as supported versions and SecurePlatform and IPSO as supported OS's. I have looked and have not found an updated version of this document, so throwing these questions out to the group:

1. Can I use "Calculate IP based on network topology" in my scenario, instead of probing (we currently used "Selected address from topology table")?

2. Do I need to create a separate VPN community?

Thanks,

Dave