topic Re: Route-based VPN issue with DAIP third party device (Cisco 1921) in SASE and Remote Access

Route-based VPN issue with DAIP third party device (Cisco 1921)

Equipe_Reseau2 — Wed, 18 Sep 2019 12:25:52 GMT

Hello,

I've configure one of my CP cluster to do route-based VPN instead domain-based.

A ticket is open but it seems CP don't really understand the issue.

So my configuration is:

- Cluster CP (OpenServer) R80.10 Take 214

- Cisco 1921 IOS 15.5 (4G modem with IPSec support APN/public IP)

My need is a route-based VPN between my Cluster and this router.

My issue is: all is working fine if i set the public IP for this third party device, GRE over IPsec is working fine. If i set this object in DAIP, with wan interface configured as Dynamic IP in its topology, IPsec tunnel is up but there is no GRE traffic inside.

On the CP log tracker, the "VPN peer Gateway" field have the right name (rt-lte-xxx) and public IP when i set public IP on the object, but in DAIP mode, only 0.0.0.19 is visible, nothing else.

I think Checkpoint can't retrieve the object name/dynamic IP address when packet is routing thought VTI interface.

Anyone here is able to route-based VPN trafic with Third party object in DAIP mode?

Thanks.

Re: Route-based VPN issue with DAIP third party device (Cisco 1921)

PhoneBoy — Fri, 20 Sep 2019 02:43:38 GMT

I assume if you're doing DAIP that you're authenticating with certificates.
Have you done any debugging or opened a TAC case?

Re: Route-based VPN issue with DAIP third party device (Cisco 1921)

Equipe_Reseau2 — Fri, 20 Sep 2019 06:06:01 GMT

Hi,

Yes i use certificate, it works fine. As i explain, if i set the third party device on public fixed IP, it works fine.

I had only one session with Checkpoint support but the technician (couldn't be an engineer), first told me that GRE is not supported by Checkpoint, he don't know the route-based VPN is IPsec over GRE.

IPsec debug don't give anything as this layer works fine.

If you have some command for debugging GRE in Checkpoint, i take it !

Thanks.

Re: Route-based VPN issue with DAIP third party device (Cisco 1921)

G_W_Albrecht — Fri, 20 Sep 2019 07:00:21 GMT

This is documented in sk92845: Can users create a GREtunnel on Gaia OS?

and sk157893: Check Point recommendations for tunneling through IPsec instead of GRE)

The main GRE performance disadvantages can be found in sk32578: SecureXL Mechanism and sk105119: Best Practices - VPN Performance.

Re: Route-based VPN issue with DAIP third party device (Cisco 1921)

Equipe_Reseau2 — Tue, 17 Dec 2019 14:39:06 GMT

Update: a TAC is open since September, the issue has not been understood by level 1 technicien during more than two month, an escalation was impossible, i was upset...
Now, after 3 month, i received a 1st fix, doesn't worked. I've done a lot of debug with script provided by CP, i'm waiting some news...