This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
networksteamIMS
Contributor
2 weeks ago
Jump to solution

Issue with mobile access client connecting to 3rd party ipsec vpn servers

Hi all,

I have an issue with mobile access client not connecting to 3rd party ipsec vpn servers

image.png

Scenario:

  • We have an ipsec between main office and a 3rd party site
  • Mobile clients are connected to Main office
  • Main office server 10.20.20.20 is able to connect to the 3rd party server 172.16.1.1
  • Mobile access client 10.10.10.10 is not able to connect to the 3rd party server 172.16.1.1
  • Mobile access client is able to go anywhere but just not the 3rd party site via ipsec
  • Double checked the network policy is allowing and also NAT policy
  • But all traffic from mobile access client 10.10.10.10 is not matching any policies and being dropped at the bottom cleanup rule as shown on the output from fw ctl zdebug drop

 

PS running on an Open server R81.10 take 181

 

Anything I missed....?

 

Regards,

Bill.

0 Kudos
1 Solution

Accepted Solutions
simonemantovani
MVP
MVP
2 weeks ago
In response to networksteamIMS
Jump to solution

First of all ...  in your local encryption domain you need to add the nat ip address (as you configured) and also the network assigned to the mobile clients (or in case the 10.0.0.0/8).

And even after this change, the policy is not matched, then remove the VPN community from the policy.

View solution in original post

8 Replies
simonemantovani
MVP
MVP
2 weeks ago
Jump to solution

Hello

could you provide some screenshot, about policies, vpn configuration (in particular encryption domains) for the 3rd party vpn?

0 Kudos
networksteamIMS
Contributor
2 weeks ago
In response to simonemantovani
Jump to solution

Network policy

image.png

NAT

image.png

VPN community

 

image.png

Encryption domain

image.png

0 Kudos
simonemantovani
MVP
MVP
2 weeks ago
In response to networksteamIMS
Jump to solution

First of all ...  in your local encryption domain you need to add the nat ip address (as you configured) and also the network assigned to the mobile clients (or in case the 10.0.0.0/8).

And even after this change, the policy is not matched, then remove the VPN community from the policy.

networksteamIMS
Contributor
2 weeks ago
In response to simonemantovani
Jump to solution

Thanks for your reply. I have just added them into a new network group and had it assigned to the vpn community but no luck.

by the way my local server 10.20.20.20 is already able to reach the remote server with this setup.

 

Regards,

Bill.

0 Kudos
simonemantovani
MVP
MVP
2 weeks ago
In response to networksteamIMS
Jump to solution

Did you also removed the VPN community from the rule?

0 Kudos
networksteamIMS
Contributor
2 weeks ago
In response to simonemantovani
Jump to solution

@simonemantovani  Legend! it worked after removing the VPN community from the policy. Dont suppose you could share why this happen?

0 Kudos
simonemantovani
MVP
MVP
2 weeks ago
In response to networksteamIMS
Jump to solution

well ... this is one of the magic of that field .. No I'm joking, in my opinion, firewall wasn't matching that rule for the remote access vpn, removing the VPN community told the firewall to consider every clear traffic and also every encrypted traffic (both remote access and site-to-site vpn).

Alternatvely, configuring to rules (one for remote access and one for the site to site vpn) would probably solve the issue.

I'm glad I could help you.

CaseyB
Advisor
2 weeks ago
Jump to solution

You need to add the third-party network to the Remote Access encryption domain.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events