topic Re: Private (RFC 1918) networks encrypted en routed via VPN in SASE and Remote Access

Private (RFC 1918) networks encrypted en routed via VPN

Johan_Klasson — Mon, 07 Sep 2020 14:19:55 GMT

Hi,

I have a problem with a Remote Access setup via IPsec where I can't manage to get the VPN Domain setup sane (I think).

Server:
R80.20 VS Instance running on 23900 cluster.
VPN blades: IPsec VPN
Office Mode: Enabled

Client:
E83.20 on Windows 10 behind NAT

Problem:
Client connects just fine and get an IP via DHCP according to config.
But, no traffic get routed and encrypted via the tunnel.
If I disable Split Tunneling, and enable "Encrypt all traffic and route to gateway" on client,
all non-RFC 1918 networks get routed via the tunnel.
I can also see broadcast traffic and tunnel_test from the VPN network in the FW logs.
Also, when I do "route print" on the client, a huge amount of routes have been added.

Question:
Any pointers how to resolve this?

Best Regards,
Johan Klasson

Re: Private (RFC 1918) networks encrypted en routed via VPN

PhoneBoy — Mon, 07 Sep 2020 16:17:02 GMT

What is your precise Encryption Domain set to?
You can set a different one for Remote Access than for site-to-site VPN.

”Route all traffic” literally routes all traffic from the VPN client through the encryption domain which means you’ll see routes for all RFC1918 addresses on the client as well.

Re: Private (RFC 1918) networks encrypted en routed via VPN

Johan_Klasson — Tue, 08 Sep 2020 06:34:12 GMT

Thanks PhoneBoy for taking the time.

The Encryption Domain is set to the VPN network.
I tried setting it specifically for Remote Access, but with the same result -> fail.
Also, I really want no Split Routing so it's strange that only external "public" IP ranges get through the tunnel but not private?
For example the 10/8 network is not visible in the routing table on the client, hence it should utilize the "default" routes 0/1 and 128/1 but it seems traffic to these network hitting a blackhole.
The log indicates outbound traffic from the firewall does in fact reach the FW and get encrypted, the problem seems to be on the client side?

Re: Private (RFC 1918) networks encrypted en routed via VPN

_Val_ — Tue, 08 Sep 2020 06:43:17 GMT

By VPN networks, what do you mean? The internal networks behind VPN GW? Or something else?

Re: Private (RFC 1918) networks encrypted en routed via VPN

Johan_Klasson — Tue, 08 Sep 2020 07:00:16 GMT

Sorry, should have been more clear.
VPN network in this context is the network given to the client side and used to connect to LAN/WAN via the tunnel.
Maybe Office Mode Network is a better term?

It may also be worth mention the Remote Access community i also used by another GW running R77.30.
I just noticed the "Credentials are needed for a secondary tunnel connection" where the GW is this other GW:
Can the problem be it using this GW instead of the intended one?

Re: Private (RFC 1918) networks encrypted en routed via VPN

PhoneBoy — Mon, 14 Sep 2020 03:20:32 GMT

I'm having trouble understanding what your actual configuration is.
Let's focus on the Remote Access encryption domain should be.
This should include all the networks behind your gateway that you wish for your client to be able to access.
There will also have to be relevant Access Policy rules to allow this in addition.
If there are networks available that you wish for your clients to access that are available from a Site-to-Site VPN peer, those networks must also be included in the Remote Access encryption domain.
Further, the remote end will need to include your Office Mode IP address range as part of the encryption domain on their end.
Your network should also know to route the Office Mode address range to the relevant gateway.

It's going to be difficult to troubleshoot this without posting private information on the community.
Therefore, your best bet is to engage with the TAC.

Re: Private (RFC 1918) networks encrypted en routed via VPN

Johan_Klasson — Mon, 14 Sep 2020 11:38:08 GMT

It has been solved.

After much trial-and-error from TAC, they asked me to download and test an earlier version of the client.
And behold, it actually started working 🙂

E81.40 worked but NOT the newer E83.20.

Regarding the encrypt domain (VPN Domain): When using E83.20 it didn't matter. With E81.40 it does.