This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Luis_Filipe
Participant
‎2019-03-05 01:59 PM
Jump to solution

Manual NAT inside a VPN IPsec Tunnel

Hello guys,

I setup up a IPsec tunnel between checkpoint and a 3rd party VPN. Everything works fine without any problem.

The question is that when I connect one router (R1) to the gateway(R77.30) and put one PC(WS2012R2-4) behind the router the tunnel not worked as expected.

Behind the router I have the network 10.1.1.0/24 and I do some NAT manipulation on the gateway, like that:


I want to manipulate the traffic coming from the PC 10.1.1.10 to appear in the tunnel on the other side with the Source 172.16.3.20.

I setup my firewall rule to work with the VPN Community, like that:

The VPN Domains in both sides are the Networks: 172.16.3.0/24(Checkpoint) and 172.16.1.0/24(Fortinet).

The problem is that host 10.1.1.10 cannot fire up the tunnel and all other hosts on the network 172.16.3.0/24 can setup the tunnel. I don't have the NAT disabled on the Community and the gateway and router have routes setting up for routing purposes, I don't think this is a routing issue.

I captured traffic with the wireshark from the outside interface eth0 (See the topology above), and I forced traffic through the tunnel with the PC 10.1.1.10, but nothing happened, please see below the packets:

Source NAT works fine, but I cannot setup the tunnel, why this happen?

What am I doing wrong? What is left to do?

Thanks in advanced

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Authority
Authority
‎2019-03-06 12:03 AM
Jump to solution

Hello Luis,

as I understand your traffic capture is from eth0 and this is the external interface of your firewall.

If you did the capture with tcpdump you should never see the NATed packet on eth0, the packet should be decrypt.

You should add net 10.1.1.0/24 or the one host 10.1.1.10 to your local encryption domain on the CheckPoint gateway.

And in the rulebase you too need to allow this net to pass th VPN.

Wolfgang

View solution in original post

0 Kudos
3 Replies
Vladimir
Champion
Champion
‎2019-03-05 02:45 PM
Jump to solution

Try using Dead Peer Detection. It should keep the tunnel up.

VPN Site-to-Site with 3rd party Scenario 5.

0 Kudos
Wolfgang
Authority
Authority
‎2019-03-06 12:03 AM
Jump to solution

Hello Luis,

as I understand your traffic capture is from eth0 and this is the external interface of your firewall.

If you did the capture with tcpdump you should never see the NATed packet on eth0, the packet should be decrypt.

You should add net 10.1.1.0/24 or the one host 10.1.1.10 to your local encryption domain on the CheckPoint gateway.

And in the rulebase you too need to allow this net to pass th VPN.

Wolfgang

0 Kudos
Vladimir
Champion
Champion
‎2019-03-06 02:57 PM
Jump to solution

I see that you have ARP traffic from 10. network on your external Check Point interface's packet capture.

If you are building this environment in GNS, beware:) some weirdness is expected.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events