This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maria_Pologova
Collaborator
‎2020-12-10 06:02 AM

ESP packets are sourced from wrong interface

Hello all!

My problem is that the actual Phase 1 and 2 tunnel are going with the right cluster IP-address as source (1.1.1.1), VPN tunnel gets established. But the actual ESP packets get a source of the another physical interface (eth2.517 2.2.2.2), and traffic is not reaching Azure network from on-prem network.

I have TAC case created, which is already a third case, but we are not getting anywhere. So maybe anyone have any idea what could be wrong.

 

Setup:
Check Point on-prem:
eth1 - 1.1.1.1 - DMZ VPN IP in Link Selection (the IP that is supposed )
eth2.517 - 2.2.2.2 - External IP looking towards ISP Provider

Fortigate in Azure:
3.3.3.3 - Fortigate External IP

SXL for this VPN is off.
1.1.1.1. is also configured as outgoing source IP address.
Current route towards Fortigate in Azure points to the gateway of interface eth2.517 (2.2.2.3)
Tried to add a route via interface eth1, but it didn't make a difference.

 

tcpdump:
11:00:26.728559 IP 3.3.3.3.4500 > 1.1.1.1.4500: isakmp-nat-keep-alive
11:00:27.064264 IP 1.1.1.1.4500 > 3.3.3.3.4500: NONESP-encap: isakmp: phase 2/others ? #37
11:00:27.064266 IP 1.1.1.1.4500 > 3.3.3.3.4500: NONESP-encap: isakmp: phase 2/others ? #37
11:00:27.064267 IP 1.1.1.1.4500 > 3.3.3.3.4500: NONESP-encap: isakmp: phase 2/others ? #37
11:00:27.080591 IP 3.3.3.3.4500 > 1.1.1.1.4500: NONESP-encap: isakmp: phase 2/others ? #37[]
11:00:28.749675 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x1), length 104
11:00:28.749677 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x1), length 104
11:00:28.749677 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x1), length 104
11:00:33.389009 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x2), length 104
11:00:33.389011 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x2), length 104
11:00:33.389011 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x2), length 104
11:00:36.680128 IP 3.3.3.3.4500 > 1.1.1.1.4500: isakmp-nat-keep-alive
11:00:38.406597 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x3), length 104
11:00:38.406598 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x3), length 104
11:00:38.406599 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x3), length 104
11:00:43.403640 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x4), length 104
11:00:43.403641 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x4), length 104
11:00:43.403642 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x4), length 104
11:00:46.631720 IP 3.3.3.3.4500 > 1.1.1.1.4500: isakmp-nat-keep-alive
11:00:48.395170 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x5), length 104
11:00:48.395171 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x5), length 104
11:00:48.395172 IP 2.2.2.2.4500 > 3.3.3.3.4500: UDP-encap: ESP(spi=0x828309d1,seq=0x5), length 104

fw monitor:
[vs_0][fw_0] bond12.517:i9 (tcpt inbound)[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i10 (IP Options Strip (in))[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i11 (vpn multik forward in)[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i12 (vpn decrypt)[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i13 (l2tp inbound)[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i14 (Stateless verifications (in))[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i15 (fw multik misc proto forwarding)[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i16 (vpn tagging inbound)[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i17 (vpn decrypt verify)[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:i18 (fw VM inbound )[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I19 (vpn policy inbound)[44]: 3.3.3.3 -> 1.1.1.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I20 (fw SCV inbound)[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I21 (vpn before offload)[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I22 (fw offload inbound)[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I23 (fw post VM inbound )[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I24 (fw accounting inbound)[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I25 (RTM packet in)[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I26 (passive streaming (in))[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I27 (TCP streaming (in))[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I28 (IP Options Restore (in))[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I29 (Cluster Late Correction)[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:I30 (Chain End)[44]: 3.3.3.3 -> 10.97.15.1 (UDP) len=256 id=16574
[vs_0][fw_0] bond12.517:o0 (IP Options Strip (out))[44]: 10.97.15.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:o1 (vpn multik forward out)[44]: 10.97.15.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:o2 (vpn nat outbound)[44]: 10.97.15.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:o3 (TCP streaming (out))[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:o4 (passive streaming (out))[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:o5 (vpn tagging outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:o6 (Stateless verifications (out))[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:o7 (fw VM outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O8 (fw post VM outbound )[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O9 (vpn policy outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O10 (l2tp outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O11 (vpn encrypt)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O12 (RTM packet out)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O13 (tcpt outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O14 (fw accounting outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O15 (TCP streaming post VM)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O16 (IP Options Restore (out))[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O17 (Cluster Local Correction)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:O23 (Chain End)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24707
[vs_0][fw_0] bond12.517:o0 (IP Options Strip (out))[44]: 10.97.15.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:o1 (vpn multik forward out)[44]: 10.97.15.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:o2 (vpn nat outbound)[44]: 10.97.15.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:o3 (TCP streaming (out))[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:o4 (passive streaming (out))[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:o5 (vpn tagging outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:o6 (Stateless verifications (out))[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:o7 (fw VM outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O8 (fw post VM outbound )[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O9 (vpn policy outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O10 (l2tp outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O11 (vpn encrypt)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O12 (RTM packet out)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O13 (tcpt outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O14 (fw accounting outbound)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O15 (TCP streaming post VM)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O16 (IP Options Restore (out))[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O17 (Cluster Local Correction)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_0] bond12.517:O23 (Chain End)[44]: 1.1.1.1 -> 3.3.3.3 (UDP) len=384 id=24708
[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -> 3.3.3.3 (UDP) len=132 id=34433
[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -> 3.3.3.3 (UDP) len=132 id=19101
[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -> 3.3.3.3 (UDP) len=132 id=64551
[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -> 3.3.3.3 (UDP) len=132 id=52696
[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -> 3.3.3.3 (UDP) len=132 id=59551
[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -> 3.3.3.3 (UDP) len=132 id=16177
[vs_0][fw_3] bond12.517:OE25 (encrypt - after)[44]: 2.2.2.2 -> 3.3.3.3 (UDP) len=132 id=35105

0 Kudos
10 Replies
Chris_Atkinson
Employee Employee
Employee
‎2020-12-10 06:24 AM

Which version/jumbo is the gateway?

sk165003 might be relevant here.

CCSM R77/R80/ELITE
0 Kudos
Maria_Pologova
Collaborator
‎2020-12-10 11:35 PM
In response to Chris_Atkinson

This brings me hope 🙂

We are on 80.20 Take 183 and I found those messages in vpnd.elg as well
[vpnd 16556 4093212576]@CP_GW[9 Dec 13:08:21][ikev2] ikeSimpOrder::getMyIpAddr: Not found, will use first external interface.

We'll wait for general take and upgrade, will update the thread after. Thanks, Chris!

 

 

Maarten_Sjouw
Champion
Champion
‎2020-12-10 10:22 AM

In link selection did you also configure the Source IP settings to manual and selected the same IP 1.1.1.1? 

Regards, Maarten
Maria_Pologova
Collaborator
‎2020-12-10 10:39 AM
In response to Maarten_Sjouw

Yes, I did.

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2020-12-10 11:57 AM

is eth1 marked as External in Topology ?

Kind regards,
Jozko Mrkvicka
0 Kudos
Maria_Pologova
Collaborator
‎2020-12-10 11:17 PM
In response to JozkoMrkvicka

No, it isn't. This interface is defined as is DMZ (Internal). Do you think this might influence such behavior? Interestingly enough, other ~30 VPN are working without problems.

JozkoMrkvicka
Authority
Authority
‎2020-12-11 12:02 AM
In response to Maria_Pologova

If something is working fine, shouldnt be the case. Only this one Fortigate has issue ? No other Fortigates ? Cannot it be something related to routing ? Or isnt affected fortigate part of some encryption domain ?

Kind regards,
Jozko Mrkvicka
0 Kudos
Maria_Pologova
Collaborator
‎2020-12-11 06:59 AM
In response to JozkoMrkvicka

Just found that with ikev1 there is no such problem. So apparently sk165003  is relevant here indeed.

0 Kudos
imamuzic
Contributor
Thursday

We finally resolved the issue by changing "Outgoing route selection" option from default one: "Operating System Routing Table" to "Route Based Probing". The root cause was that our internal end external interfaces shared the same IP address class (A class for example) and with the default option in "Outgoing route selection" the gateway incorrectly selects internal interface for generating ESP packets from. It simply ignores subnet masks. It is only valid for IKEv2. When "Route Based Probing" option is selected instead of default one, the gateway checks reachability of the peer by using RDP (in the case of Check Point peer) or IKE DPD (in the case of 3rd party peer) and it does so automatically. Since there were no IKE DPD replies from Internal interface, but only from External this interface is now correctly chosen for generating ESP packets from. 

Here is the c/p of the Check Point TAC's explanation:

"Route based probing so that correct external interface is used. GW selects the best available route.
while Route Based Probing primarily uses RDP for route availability checking, in the context of third-party VPN peers, the Security Gateway can fall back on IKE DPD to ensure the peer's availability. This fallback mechanism helps maintain the correct routing behavior for ESP packets, even when RDP probing is not supported by the peer device."

 

Best Regards,

Igor

 

0 Kudos
Lesley
Mentor Mentor
Mentor
Thursday
In response to imamuzic

Major improvements I have seen on CPX regarding this topic in R82

For reference:

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/T...

 

-------
If you like this post please give a thumbs up(kudo)! 🙂

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events