This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RickyDan
Contributor
‎2022-06-28 01:52 PM

Solved: Need help with CloudGuard remote access VPN on Azure

I have a CloudGuard HA and management and my problem is remote access VPN is disconnecting roughly every 30 seconds. In the logs I can see "According to the policy the packet should not have been decrypted" is the reason tunnel test is being dropped.

Setup

  • Frontend subnet has NSG allowing all inbound and outbound traffic
  • image is R81.10
  • frontend eth0 leads to "external"
  • backend eth1 leads to "this network"
  • office mode configured (10.255.255.0/24)
  • remote access vpn domain does not contain office mode range
  • anti-spoofing is off on both eth0 and eth1
  • vpn link selection is statically NAT'd IP: public cluster VIP
  • outgoing VPN link is private cluster VIP

Things I tried:

  1. Adding NAT rule as in sk106853 to translate tunnel test traffic to the public VIP to LocalGatewayExternal
  2. Adding policy rule as in sk44075 to accept tunnel test mapped to LocalGatewayExternal
  3. Modified (2) to also accept tunnel test to the public VIP
  4. Turned on anti-spoofing for office mode as in sk44075. Anti-spoofing for eth0 and eth1 still off
  5. Verified "accept control connections" and "accept remote access control connections" are checked

Solved:  The public VIP has to be added to the remote access encryption domain. The other stuff in the "Things I tried" section are not needed except to make sure the implied rules in (5) are selected.

0 Kudos
8 Replies
K_montalvo
Advisor
‎2022-06-28 02:04 PM

Hello @RickyDan i think the issue could be using the office mode configured (10.255.255.0/24). Try using another subnet

0 Kudos
RickyDan
Contributor
‎2022-06-28 06:19 PM
In response to K_montalvo

Changed it to 10.10.10.0/24 and it did not work.

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2022-06-29 02:45 AM
In response to RickyDan

what did you choose under "VPN Link Selection" ?

it should be "NATTED IP" with the Public IP of your CLUSTER VIP.

0 Kudos
RickyDan
Contributor
‎2022-06-29 03:56 AM
In response to Nir_Shamir

hi, yes that is how it is configured. forgot to put that in the post. the outgoing link is set as the private VIP. 

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2022-06-29 04:07 AM
In response to RickyDan

it need to be the Public VIP , not the private VIP.

0 Kudos
RickyDan
Contributor
‎2022-06-29 04:14 AM
In response to Nir_Shamir

hi, these are the current config for outgoing route selection. what do you recommend?

outgoing route selection:

out-1.PNG

setup:

out-2.PNG

 

 

 

 

source ip address setting:

out-3.PNG

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2022-06-29 04:51 AM
In response to RickyDan

the outgoing is ok.

under the IPSEC VPN in the GW properties there's VPN LINK SELECTION.

what did you choose there ?

0 Kudos
RickyDan
Contributor
‎2022-06-29 05:35 AM
In response to Nir_Shamir

that is set to statically NAT'd IP: public cluster VIP

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events