cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Manual NAT inside a VPN IPsec Tunnel

Jump to solution

Hello guys,

I setup up a IPsec tunnel between checkpoint and a 3rd party VPN. Everything works fine without any problem.

The question is that when I connect one router (R1) to the gateway(R77.30) and put one PC(WS2012R2-4) behind the router the tunnel not worked as expected.

Behind the router I have the network 10.1.1.0/24 and I do some NAT manipulation on the gateway, like that:


I want to manipulate the traffic coming from the PC 10.1.1.10 to appear in the tunnel on the other side with the Source 172.16.3.20.

I setup my firewall rule to work with the VPN Community, like that:

The VPN Domains in both sides are the Networks: 172.16.3.0/24(Checkpoint) and 172.16.1.0/24(Fortinet).

The problem is that host 10.1.1.10 cannot fire up the tunnel and all other hosts on the network 172.16.3.0/24 can setup the tunnel. I don't have the NAT disabled on the Community and the gateway and router have routes setting up for routing purposes, I don't think this is a routing issue.

I captured traffic with the wireshark from the outside interface eth0 (See the topology above), and I forced traffic through the tunnel with the PC 10.1.1.10, but nothing happened, please see below the packets:

Source NAT works fine, but I cannot setup the tunnel, why this happen?

What am I doing wrong? What is left to do?

Thanks in advanced

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Silver

Re: Manual NAT inside a VPN IPsec Tunnel

Jump to solution

Hello Luis,

as I understand your traffic capture is from eth0 and this is the external interface of your firewall.

If you did the capture with tcpdump you should never see the NATed packet on eth0, the packet should be decrypt.

You should add net 10.1.1.0/24 or the one host 10.1.1.10 to your local encryption domain on the CheckPoint gateway.

And in the rulebase you too need to allow this net to pass th VPN.

Wolfgang

0 Kudos
3 Replies
Vladimir
Pearl

Re: Manual NAT inside a VPN IPsec Tunnel

Jump to solution

Try using Dead Peer Detection. It should keep the tunnel up.

VPN Site-to-Site with 3rd party Scenario 5.

0 Kudos
Wolfgang
Silver

Re: Manual NAT inside a VPN IPsec Tunnel

Jump to solution

Hello Luis,

as I understand your traffic capture is from eth0 and this is the external interface of your firewall.

If you did the capture with tcpdump you should never see the NATed packet on eth0, the packet should be decrypt.

You should add net 10.1.1.0/24 or the one host 10.1.1.10 to your local encryption domain on the CheckPoint gateway.

And in the rulebase you too need to allow this net to pass th VPN.

Wolfgang

0 Kudos
Highlighted
Vladimir
Pearl

Re: Manual NAT inside a VPN IPsec Tunnel

Jump to solution

I see that you have ARP traffic from 10. network on your external Check Point interface's packet capture.

If you are building this environment in GNS, beware:) some weirdness is expected.

0 Kudos