Solved: Need help with CloudGuard remote access VPN on Azure
I have a CloudGuard HA and management and my problem is remote access VPN is disconnecting roughly every 30 seconds. In the logs I can see "According to the policy the packet should not have been decrypted" is the reason tunnel test is being dropped.
- Frontend subnet has NSG allowing all inbound and outbound traffic
- image is R81.10
- frontend eth0 leads to "external"
- backend eth1 leads to "this network"
- office mode configured (10.255.255.0/24)
- remote access vpn domain does not contain office mode range
- anti-spoofing is off on both eth0 and eth1
- vpn link selection is statically NAT'd IP: public cluster VIP
- outgoing VPN link is private cluster VIP
Things I tried:
- Adding NAT rule as in sk106853 to translate tunnel test traffic to the public VIP to LocalGatewayExternal
- Adding policy rule as in sk44075 to accept tunnel test mapped to LocalGatewayExternal
- Modified (2) to also accept tunnel test to the public VIP
- Turned on anti-spoofing for office mode as in sk44075. Anti-spoofing for eth0 and eth1 still off
- Verified "accept control connections" and "accept remote access control connections" are checked
Solved: The public VIP has to be added to the remote access encryption domain. The other stuff in the "Things I tried" section are not needed except to make sure the implied rules in (5) are selected.