How to configure VPN Remote Access on non-default Internet Link

Thiago_Mourao — Fri, 24 Apr 2020 13:43:57 GMT

Security Engineering Brazil

April, 2020

Version 02

Author:

Thiago Mourao, SE and Cyber Security Evangelist

Revision:

Henrique Moises, SE

Contents

How to configure VPN Remote Access on non-default Internet Link

Objective

Know Limitation and Requirements

Topology

Scripts

Step by Step

Objective

Configure Remote Access to respond for non-default Internet Link.

As default configuration, when the first packet arrives from the non-default internet link, gateway will check its routing table and will reply those packets using the default route and after that the packets will be sent to the interface where the default route is configured. In many cases, those packets will be blocked by the next hop due to Out of State (SYN-ACK without SYN) or due to ingress routing filter that will check that the source do not belong to that route/network.

PS: In a specific scenario this configuration might work with no further actions needed. In this scenario, the primary ISP link do not check Stateful Inspection or dot have Ingress Routing Filter to block spoofing/DDoS attacks, so in that case the security level is going to be lower, hence not recommended.

Know Limitation and Requirements

I have used static-route on this example instead of PBR that would be a more granular way to be done
I have used a wrapper for cprid_util created by @HeikoAnkenbrand (HeikoAnkenbrand) on his article on Check Mates called “GAIA - Easy execute CLI commands from management on gateways” (https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/GAIA-Easy-execute-CLI-commands-from-management-on-gateways/m-p/50764/highlight/true#M3759) to execute command on gateway from the SMS
For this PoC we assume that you already have configured a gateway with 2 (two) internet links where the first one is the default route and the second one is a backup link
For this PoC we assume that you already configured Remote Access VPN (IPsec or Mobile Access) to respond with the IP of the secondary internet link

Topology

In this lab we are using R80.40 on both Security Gateway and Manager, and they were virtualized on VMware Workstation 12.

Virtual Environment:

1 x Check Point Gateway R80.40
1 x Check Point Manager R80.40
1 x Microsoft Windows Server 2012 R2
1 x Windows 7 Ultimate
4 x Virtual Routers (VyOS)

Host Environment:

1 x Notebook (Windows Professional) with VMWare Workstation 12

NAT:

In this topology, Router RT_301 is doing source NAT FROM: 192.168.250.1 TO: 200.251.0.1

Scripts

FirstTimeSetup.sh

This script will prepare the environment to be run for the first time.

#!/bin/bash -f
source /opt/CPshrd-R80.40/tmp/.CPprofile.sh
#Script Directory
EXECDIR="/home/admin/VPNSecondaryLink"
#User that will Execute the Scripts and Cron Job
EXECUSER="admin"

echo "First time setup"
echo "Creating all files and Gaia configuration"

echo "Creating Directories"
mkdir $EXECDIR
mkdir $EXECDIR/log
mkdir $EXECDIR/tmp

echo "Creating Files"
touch $EXECDIR/CronJob_VPNSecondaryLinkCleanUp.sh
touch $EXECDIR/VPNSecondaryLinkCleanUp.sh
touch $EXECDIR/VPNSecondaryLink_alert.sh
touch $EXECDIR/log/CronJob_VPNSecondaryLinkCleanUp.sh.log
touch /var/log/VPNSecondaryLink_alert.log

echo "Creating Symbolic Links"
ln -s /var/log/VPNSecondaryLink_alert.log $EXECDIR/log/VPNSecondaryLink_alert.log
ln -s $EXECDIR/VPNSecondaryLink_alert.sh $FWDIR/bin/VPNSecondaryLink_alert

echo "Copying Scripts to $EXECDIR"
cp ./CronJob_VPNSecondaryLinkCleanUp.sh $EXECDIR/CronJob_VPNSecondaryLinkCleanUp.sh
cp ./VPNSecondaryLink_alert.sh $EXECDIR/VPNSecondaryLink_alert.sh

echo "Changing Owner and Group"
chown $EXECUSER:bin $EXECDIR/CronJob_VPNSecondaryLinkCleanUp.sh
chown $EXECUSER:bin $EXECDIR/VPNSecondaryLink_alert.sh
chown $EXECUSER:bin $FWDIR/bin/VPNSecondaryLink_alert.sh

echo " Changing Permission"
chmod 760 $EXECDIR/CronJob_VPNSecondaryLinkCleanUp.sh
chmod 760 $EXECDIR/VPNSecondaryLink_alert.sh
chmod 760 $FWDIR/bin/VPNSecondaryLink_alert.sh

echo "Lock Database Override"
clish -c "lock database override"
echo "Adding Daily Based Recurrence for CronJob_VPNSecondaryLinkCleanUp at Cron Job to 2:00am"
clish -c 'add cron job VPNSecondaryLinkCleanUp command "/home/admin/VPNSecondaryLink/CronJob_VPNSecondaryLinkCleanUp.sh >> /home/admin/VPNSecondaryLink/log/CronJob_VPNSecondaryLinkCleanUp.sh.log 2>&1" recurrence daily time 2:00'
echo "Saving clish configuration"
clish -c "save config"

VPNSecondaryLink_alert.sh

This Script will be called by the Track field of the rule created in the SmartConsole, then the output is being parsed, creating the static route based on the source IP of the packet that hit the rule

#!/bin/bash -f
source /opt/CPshrd-R80.40/tmp/.CPprofile.sh
#Script Directory
DIR="/home/admin/VPNSecondaryLink"
#User that will Execute the Scripts and Cron Job
EXECUSER="admin"

#Jump to Script Directory
cd $FWDIR/bin

#Global Variable
gateway_ip="10.0.50.100"
secondary_gw="200.200.0.102"
raw_pbr_error=0
error_msg1="Error: Object Name pattern founded on multiple Host Objects"
error_msg2="Error: Static Route alreded configure"
error_msg3="Error: Rule Name do not match"
error_msg4="Error: Object not found on management Database"
error_msg5="Error: Route Already Inserted on CleanUp Script"

echo "#### Executing VPNSecondaryLink_alert at $(date -u) ####"
[ $raw_pbr_error -gt 0 ] || {

echo "Reading input from rule"
read input
#echo "Troubleshooting enabled"
#echo $input > $DIR/tmp/VPNSecondaryLink_alert_tr.log
echo "Parsing Source Object Name"
echo "Checking if Source is using Object Name"
raw_src_name=$(echo $input | sed -n 's/.* src: $.*$; dst: .*/\1/p')
#echo "variavel raw_src_name=$raw_src_name"
echo "Checking if Source is using IP"
raw_src_ip=$(echo "$input" | grep -o -P '.{0,5}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' | grep src | sed -n 's/^src: $.*$/\1/p' )
#echo "variavel raw_src_ip=$raw_src_ip"
firstocteto=$(echo "$raw_src_ip" | sed -n 's/$^[[:digit:]]*$\..*\..*\..*/\1/p')
#echo "variavel firstocteto=$firstocteto"
if [ -z $firstocteto ] || [ $firstocteto -gt 223 ]; then
echo "Cannot match with IP parsing... Trying to find IP on Management Object Database"
raw_src_ip=$(mgmt_cli -r true show objects limit 2 offset 0 order.1.ASC "name" in.1 "name" in.2 "$raw_src_name" order.2.DESC "objId" type "host" --format json | jq '.objects[]."ipv4-address"')
if [ -z $raw_src_ip ] ; then
echo $error_msg4;
raw_pbr_error=1;
exit 1;
elif [ $(echo "$raw_src_ip" | wc -l) -gt 1 ] ; then
echo $error_msg1;
raw_pbr_error=1;
exit 1;
else
echo "IP Founded"
raw_src_ip=$(echo "$raw_src_ip"| tr -d \");
echo "Source IP: $raw_src_ip"
fi
else
echo "IP has no object in Database, using IP from Log"
echo "Source IP: $raw_src_ip"
fi
echo "Parsing Destination Object Name"
raw_dst_ip=$eth1
echo "Destination IP: $raw_dst_ip"
echo "Check if Route already exist"
if [ $(/usr/local/bin/g_cli 10.0.50.100 show configuration static-route | grep "$raw_src_ip" | wc -l) -gt 0 ] ; then
echo $error_msg2;
raw_pbr_error=1;
exit 0;
else
touch $DIR/VPNSecondaryLinkCleanUp.sh
chmod +x $DIR/VPNSecondaryLinkCleanUp.sh
echo "Creating Routing for $raw_src_ip/32"
/usr/local/bin/g_cli $gateway_ip "set static-route $raw_src_ip/32 nexthop gateway address $secondary_gw on"
echo "Checking file VPNSecondaryLinkCleanUp.sh"
if [ $(cat /tmp/VPNSecondaryLinkCleanUp.sh | grep $raw_src_ip | wc -l ) -gt 0 ] ; then
echo $error_msg5;
raw_pbr_error=1;
exit 1;
else
echo "Adding new route to VPNSecondaryLinkCleanUp.sh"
echo "/usr/local/bin/g_cli $gateway_ip set static-route $raw_src_ip/32 off" >> $DIR/VPNSecondaryLinkCleanUp.sh
fi
fi
echo "#### End of Execution of VPNSecondaryLink_alert at $(date -u) ####"
echo -e '\n\n'
exit 1;
}

CronJob_VPNSecondaryLinkCleanUp.sh

This script will be executed by the Job called VPNSecondaryLinkCleanUp on Crontab to backup current VPNSecondaryLinkCleanUp.sh to save for historical purpose and run the current VPNSecondaryLinkCleanUp.sh to Clean Up the routing table every day.

#!/bin/bash -f
source /opt/CPshrd-R80.40/tmp/.CPprofile.sh
#Script Directory
DIR="/home/admin/VPNSecondaryLink"
#User that will Execute the Scripts and Cron Job
EXECUSER="admin"

#Jump to Script Directory
cd $DIR
touch $DIR/VPNSecondaryLinkCleanUp.sh
if [ $(cat $DIR/VPNSecondaryLinkCleanUp.sh | wc -l ) -gt 0 ] ; then
echo "Coping old VPNSecondaryLinkCleanUp to TMP Diretory for historical purpose"
cp $DIR/VPNSecondaryLinkCleanUp.sh $DIR/tmp/VPNSecondaryLinkCleanUp-$(date +%s).txt
echo "Executing VPNSecondaryLinkCleanUp.sh to CleanUp Routes"
$DIR/VPNSecondaryLinkCleanUp.sh
echo "Erasing Old VPNSecondaryLinkCleanUp.sh"
> $DIR/VPNSecondaryLinkCleanUp.sh
else
echo "Current VPNSecondaryLinkCleanUp.sh is already empty. No routes to be cleaned"
fi

Step by Step

Copy the 3 (three) scripts to the Manager Server (SMS)

Change permission of “FirstTimeSetup.sh”

[Expert@Management:0]# chmod 760 FirstTimeSetup.sh
[Expert@Management:0]# ls –l FirstTimeSetup.sh

Execute the “FirstTimeSetup.sh”

[Expert@Management:0]# ./FirstTimeSetup.sh

Check if CRON JOB was created

[Expert@Management:0]# more /var/spool/cron/admin

Create an Access Control Rule with the following pattern:

From: ANY

To: IP_of_the_Backup_Interface (My Example: 200.200.0.100)

Services: HTTP and HTTPS

Action: Permit

Track: Log / Alert:User Alert 1

Check the Alert Commands Parameters on Global Properties → Log and Alert → Alerts:
- “Send user Defined alert no. 1 to SmartView Monitor”
- “Run UserDefined script”
  - VPNSecondaryLink_alert >> /var/log/VPNSecondaryLink_alert.log 2>&1

Creating a VPN on Remote Client using IP from the non-default interface (Ex.: Eth1 – 200.200.0.100)

Connecting to the VPN

Checking if Remote Client connected successfully and got Office Mode IP from the Pool

Checking access to internal resource (Ex.: Ubuntu Server 01)

PS: This page was created to check de IP address from Client

PPS: This is the server called Ubuntu Server 01 and its private IP is 10.100.0.101

Checking on the VPNSecondaryLink_alert.log file to see if the scripts are running

[Expert@Management:0]# tail –f log/VPNSecondaryLink_Alert.log

PS: There is a symbolic link on $EXECDIR/log/ VPNSecondaryLink_alert.log. The original file was created on /var/log/VPNSecondaryLink_alert.log

Checking the Behavior

You can see on fw monitor output that VPN Client started to send packets to 200.200.0.100 that arrived on interface Eth1 and the gateway Gw-01 responded those packets through interface Eth0. Due to Stateful Inspection on route RT_101, packets were drop and never reach the VPN Client.

When the script run a static route is inserted and then packets from gateway Gw-01 to the IP 200.250.0.1 started to be routed through interface Eth1.

After responding to TCP 80 (HTTP), visitor mode could be reached creating the site on the VPN Client.

Checking the new routing table on gateway

Gw-01> show configuration static-route

Running the Clean Up Script (CronJob_VPNSecondaryLinkCleanUp.sh)

[Expert@Management:0]# ./CronJob_VPNSecondaryLinkCleanUp.sh

Re: How to configure VPN Remote Access on non-default Internet Link

_Val_ — Fri, 17 Apr 2020 14:58:43 GMT

Great stuff, @Thiago_Mourao ! Well done!

Re: How to configure VPN Remote Access on non-default Internet Link

Thiago_Mourao — Fri, 17 Apr 2020 15:01:54 GMT

Thanks Loukine!

Re: How to configure VPN Remote Access on non-default Internet Link

Braden_Bersik — Wed, 29 Apr 2020 17:36:45 GMT

Could Policy-Based Routing be used to accomplish the same goal?

Re: How to configure VPN Remote Access on non-default Internet Link

KostasGR — Tue, 26 Jan 2021 12:57:29 GMT

There is limitation between PBR and Remote Access VPN/S2S VPN...

Re: How to configure VPN Remote Access on non-default Internet Link

Martin_Hofbauer — Tue, 28 Feb 2023 01:42:13 GMT

Thank you for this nice set of scripts + documentation!

I found some flaws:
a) all provided scripts are not FW version independent: use /opt/CPshared/5.0/tmp/.CPprofile.sh to source the environment variables
b) FirstTimeSetup.sh : in this script you create a symbolic link to $FWDIR/bin/VPNSecondaryLink_alert
but later on you refer to $FWDIR/bin/VPNSecondaryLink_alert.sh ( see lines with "chown" and "chmod")

c) /usr/local/bin/g_cli (from Wolfgang) does not find all gateway IPs (line range too narrow with grep, Fix: use "grep -A 25" )

d) there is no hint about ISP redundancy feature - typically customers are using this feature, too - when having two ISP links.

An additional objective for this subject is ,that users have only 1 VPN RA site created, but if the primary IP/link goes down, it should use the second link ( failover to the secondary link automatically) - like MEP is working, (when having more than 1 GW )

topic How to configure VPN Remote Access on non-default Internet Link in SASE and Remote Access

How to configure VPN Remote Access on non-default Internet Link

Re: How to configure VPN Remote Access on non-default Internet Link

Re: How to configure VPN Remote Access on non-default Internet Link

Re: How to configure VPN Remote Access on non-default Internet Link

Re: How to configure VPN Remote Access on non-default Internet Link

Re: How to configure VPN Remote Access on non-default Internet Link