https://community.checkpoint.com/t5/Spark-Firewall-SMB/IPSec-S2S-NON-RFC1918-network-behind-tunnel-endpoint/m-p/7866#M139 <HTML><HEAD></HEAD><BODY><P>VPN routing happens in the kernel, and it's not going to show up in the routing table unless you're using route-based VPNs.</P><P>You can use the CLI command vpn tu to see what tunnels are actually up and active.</P><P>The fact you're able to receive VPN traffic suggests at least part of the configuration is right.</P><P></P><P>My guess is that the traffic being NATted is also being subject to address translation out the external interface.</P><P>Since that IP is not likely in the encryption domain configuration on the remote end, the traffic is being dropped.</P><P>In which case, you'll want to put in a manual NAT rule to disable NAT when connecting to that remote subnet.</P></BODY></HTML> Wed, 25 Oct 2017 12:51:02 GMT PhoneBoy 2017-10-25T12:51:02Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/IPSec-S2S-NON-RFC1918-network-behind-tunnel-endpoint/m-p/7865#M138 <HTML><HEAD></HEAD><BODY><P>Hello Folks,</P><P></P><P>the following questions may be pretty simple, but I'm kind of struggling&nbsp;to figure out a&nbsp;"lowest common denominator" for googling this subject.</P><P></P><P><STRONG>My setup:</STRONG></P><P>I have an IPSEC tunnel between a Check Point 1430 (see below) and an interop device. The remote site is not under my control and uses a non-RFC1918 network behind the remote tunnel endpoint:</P><P></P><P>(172.16.10.0/24) [my CP] ---WAN-IP---===== ipsec ====---WAN-IP---[rem. INTEROP] (NON-RFC1918 as private network)</P><P></P><P>I just configured this non-RFC network (a public /24 ip subnet) as (only) part of the encryption domain.</P><P></P><UL><LI>The tunnel is active.</LI><LI>Traffic (e.g. icmp) can be sent from remote site to my site and echo-reply reaches the remote site.</LI><LI>No traffic can be initiated from my site to the remote site (no-reply) - tunnel still active.</LI></UL><P></P><P><STRONG>My assumption:</STRONG></P><P>My assumption is that Check Point just sees traffic for a public network and routes it to an interface with a public ip address or via default route, but not into the tunnel.&nbsp;</P><P></P><P><STRONG>My questions:</STRONG></P><UL><LI>Is&nbsp;this assumption somehow correct? If not - how is it done?</LI><LI><SPAN style="font-family: 'courier new', courier, monospace;">show route all <SPAN style="font-family: arial, helvetica, sans-serif;">does not show any routes for VPNs (networks behind tunnels). This seems to be normal for CP.&nbsp;Is there another command for viewing routes in conjunction with VPN sites or how is this thought/ done?</SPAN></SPAN></LI></UL><P></P><P><SPAN style="color: #333333; background-color: #ffffff;">Thanks in advance.</SPAN></P><P></P><DIV style="color: #2a3a55; background-color: #f7f9ff;"><SPAN class="">Appliance:</SPAN>Check Point 1430 Appliance</DIV><DIV style="color: #2a3a55; background-color: #f7f9ff;"><SPAN class="">Security Management:</SPAN>Locally managed</DIV><DIV style="color: #2a3a55; background-color: #f7f9ff;"><SPAN class="">Version (Firmware):</SPAN>R77.20.40 (990171107)</DIV></BODY></HTML> Wed, 25 Oct 2017 10:21:41 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/IPSec-S2S-NON-RFC1918-network-behind-tunnel-endpoint/m-p/7865#M138 Julius_Kaiser 2017-10-25T10:21:41Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/IPSec-S2S-NON-RFC1918-network-behind-tunnel-endpoint/m-p/7866#M139 <HTML><HEAD></HEAD><BODY><P>VPN routing happens in the kernel, and it's not going to show up in the routing table unless you're using route-based VPNs.</P><P>You can use the CLI command vpn tu to see what tunnels are actually up and active.</P><P>The fact you're able to receive VPN traffic suggests at least part of the configuration is right.</P><P></P><P>My guess is that the traffic being NATted is also being subject to address translation out the external interface.</P><P>Since that IP is not likely in the encryption domain configuration on the remote end, the traffic is being dropped.</P><P>In which case, you'll want to put in a manual NAT rule to disable NAT when connecting to that remote subnet.</P></BODY></HTML> Wed, 25 Oct 2017 12:51:02 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/IPSec-S2S-NON-RFC1918-network-behind-tunnel-endpoint/m-p/7866#M139 PhoneBoy 2017-10-25T12:51:02Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/IPSec-S2S-NON-RFC1918-network-behind-tunnel-endpoint/m-p/7867#M140 <HTML><HEAD></HEAD><BODY><P>I'm not sure if I got you right, but I created a manual SNAT rule that hides traffic&nbsp;to the non-RFC1918 network behind the tunnel with an arbitrary address from the local network on my site. Things are flying.</P><P></P><P>Thanks for your input Dameon!</P></BODY></HTML> Wed, 01 Nov 2017 15:15:27 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/IPSec-S2S-NON-RFC1918-network-behind-tunnel-endpoint/m-p/7867#M140 Julius_Kaiser 2017-11-01T15:15:27Z