This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
kuber
Explorer
‎2023-03-20 07:10 AM

issue on route based vpn tunnel with checkpoint VSX and AWS

HI,

I have built a VPN Site to Site tunnel between Checkpoint VSX and AWS VPN gateway, this is route based VPN  tunnel.

in high level steps, what i did

1- created virtual tunnel interface VTI - using this command -

vsx_provisioning_tool -o add interface vd vs1 vpn_tunnel numbered peer AWS_Peer local y.y.y.y remote x.x.x.x tunnel_id 10

 

2- Added static route for AWS VPC CIDR and gateway is z.z.z.z

3- created Mesh Community in checkpoint firewall with "Blank Domain Encryption"

4- then Created ACL in firewall with VPN domain in the rule.

 

After completing these steps, i asked remoted end part at AWS side to initiate the traffic then

1- both side can be seen UP.

2- But traffic is is getting block on firewall with No Reason For Block.

 

then one thing that i noticed is- firewall traffic is coming via VTI interface while tunnel traffic is normal outbound interface of the firewall

 

Any advice can i fix this issue?

 

Also any step by step guide for building such route based VPN tunnel with AWS?

 

your support is much appreciated!

 

0 Kudos
12 Replies
PhoneBoy
Admin
Admin
‎2023-03-23 02:25 PM

I presume you've followed the guide for setting up a VPN with Amazon VPC: https://support.checkpoint.com/results/sk/sk108958 
Please show the full log card where the traffic is dropped (redact sensitive details).
Also provide version/JHF of your Check Point equipment.

I suspect some additional debugging will also illuminate the situation: https://support.checkpoint.com/results/sk/sk180488 

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-03-24 04:07 AM

How did you configure the static route via SmartConsole or CLI?

That said as I recall R81 and above support VTI only with dynamic routing for VSX.

CCSM R77/R80/ELITE
0 Kudos
kuber
Explorer
‎2023-03-27 03:53 AM
In response to Chris_Atkinson

static route conf i did via CLI via command i mentioned in my first post.

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-03-27 04:19 AM
In response to kuber

Whilst I don't see it in your post above, this approach isn't supported on VSX.

CCSM R77/R80/ELITE
0 Kudos
kuber
Explorer
‎2023-03-27 04:28 AM
In response to Chris_Atkinson

Hi Chris,

 

in high level steps, what i did

1- created virtual tunnel interface VTI - using this command -

vsx_provisioning_tool -o add interface vd vs1 vpn_tunnel numbered peer AWS_Peer local y.y.y.y remote x.x.x.x tunnel_id 10

 

2- Added static route for AWS VPC CIDR and gateway is z.z.z.z

3- created Mesh Community in checkpoint firewall with "Blank Domain Encryption"

4- then Created ACL in firewall with VPN domain in the rule.

 

After completing these steps, i asked remoted end part at AWS side to initiate the traffic then

1- both side can be seen UP.

2- But traffic is is getting block on firewall with No Reason For Block

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-03-27 04:30 AM
In response to kuber

This (step 2) doesn't show / detail the exact command used for the static route but in VSX this shouldn't be done via CLI unless it is dynamic routing.

CCSM R77/R80/ELITE
0 Kudos
kuber
Explorer
‎2023-03-27 04:37 AM
In response to Chris_Atkinson

i used this command  where i replace the x and y by IP addresses.

vsx_provisioning_tool -o add interface vd vs1 vpn_tunnel numbered peer AWS_Peer local y.y.y.y remote x.x.x.x tunnel_id 10

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-03-27 04:38 AM
In response to kuber

That is not creating the static route but the VTI interface.

Regardless as stated above dynamic routing is needed for this to be successful.

CCSM R77/R80/ELITE
0 Kudos
kuber
Explorer
‎2023-03-27 04:52 AM
In response to Chris_Atkinson

yes, sorry, VTI..static route i added through smart console. where destination is VPC and gateway is what mentioned in the configuration file received from aws side

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-03-27 04:59 AM
In response to kuber

Per sk79700 before R81, VTI on VSX wasn't supported.

Configure Dynamic Routing VPN through Virtual Tunnel Interface (VTI) in VSX.

Source: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RN/Topics-RN/Whats-New.htm

CCSM R77/R80/ELITE
0 Kudos
kuber
Explorer
‎2023-04-03 03:55 AM
In response to Chris_Atkinson

this solution is not workable, we are using r81.10, VTI can be configured.

 

the problem is , traffic is passing from the configured VTI and getting block, not sure why not being accepted by firewall ACL since tunnel is showing up.

 

could anyone help here who has built only this type tunnel,

AWS to CP VSX gateway with routing based using VTI, blank encryption domain, and Mesh topology. 

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-04-03 04:01 AM
In response to kuber

Yes VTI can be configured here but it needs dynamic routing (BGP) to work on VSX.

If you've done this (not using static routes) and the issue persists please consult with TAC for troubleshooting assistance.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events