This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Scott_Paisley
Advisor
‎2024-06-05 06:05 AM

NAT-T through VPN tunnel

Hi

We have a site-to-site checkpoint VPN

We are using VMWARE HCX to migrate some workloads through that tunnel. HCX uses NAT-T to build a VPN tunnel using whatever transport is available, which in this case happens to be a checkpoint VPN tunnel, so we are tunneling NAT-T through a checkpoint VPN tunnel.

This has been working for months.

On Friday it broke after we installed the CVE patch and rebooted all the gateways.

Here is the log message "Failure preparing tunnel creation, internal error"

We opened a ticket with TAC on Friday and spoke to an engineer who said they had seen this once before, but it was fixed by an unrelated hotfix.

On a call today with a different engineer, they said "NAT-T through a Checkpoint VPN tunnel is not supported"

I don't believe this to be true.

Is anybody else running HCX over a checkpoint VPN (or any other NAT-T traffic)?

Anybody else seen this error and know the fix?

Thanks

9 Replies
the_rock
MVP Diamond
MVP Diamond
‎2024-06-05 06:18 AM

On a call today with a different engineer, they said "NAT-T through a Checkpoint VPN tunnel is not supported"

I agree with you, Im 100% positive that is NOT true.

Is it failing on phase 1 or 2?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Scott_Paisley
Advisor
‎2024-06-05 06:19 AM
In response to the_rock

the checkpoint is dropping the packets so it never gets as far as phase 1

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-06-05 06:24 AM
In response to Scott_Paisley

Maybe this?

https://support.checkpoint.com/results/sk/sk170141

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Scott_Paisley
Advisor
‎2024-06-05 06:28 AM
In response to the_rock

we have looked at that, but in this case default route is the route that should be used

we have just tried a different tunnel to a different site and it seems to be working so I guess it is supported after all

the_rock
MVP Diamond
MVP Diamond
‎2024-06-05 07:06 AM
In response to Scott_Paisley

100% supported, it always has been. Btw, just wondering...does it make any difference if tunnel is reset from both ends? Whats the other side?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Scott_Paisley
Advisor
‎2024-06-05 07:16 AM
In response to the_rock

The broken tunnel is VMWARE HCX on both ends. This was working fine for weeks. We rebooted the checkpoint gateways and it stopped working. I beleieve the HCX tunnel was reset, but that is managed by a different team. We just built a new HCX mesh over the same checkpoint tunnel as the broken one, and it seems to be working. The strange thing is the checkpoint is definitely dropping traffic for the broken mesh, and passing traffic for the working mesh. Maybe something in the packet is messed up.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-06-05 07:29 AM
In response to Scott_Paisley

Can you do basic VPN debug and attach iked and vpnd files?

Andy

vpn debug trunc

vpn debug ikeon

-generate some traffic

vpn debug ikeoff

look for iked and vpnd files in $FWDIR/log dir

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Scott_Paisley
Advisor
‎2024-06-05 07:31 AM
In response to the_rock

the checkpoint tunnels are up and always have been. we don't have any diagnostics from HCX. Anyway, it now seems it does work, apart from the original mesh.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-06-05 07:34 AM
In response to Scott_Paisley

I would say if it can be reset from that side, it may help.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events