Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Luis_Filipe
Participant
Jump to solution

Manual NAT inside a VPN IPsec Tunnel

Hello guys,

I setup up a IPsec tunnel between checkpoint and a 3rd party VPN. Everything works fine without any problem.

The question is that when I connect one router (R1) to the gateway(R77.30) and put one PC(WS2012R2-4) behind the router the tunnel not worked as expected.

Behind the router I have the network 10.1.1.0/24 and I do some NAT manipulation on the gateway, like that:


I want to manipulate the traffic coming from the PC 10.1.1.10 to appear in the tunnel on the other side with the Source 172.16.3.20.

I setup my firewall rule to work with the VPN Community, like that:

The VPN Domains in both sides are the Networks: 172.16.3.0/24(Checkpoint) and 172.16.1.0/24(Fortinet).

The problem is that host 10.1.1.10 cannot fire up the tunnel and all other hosts on the network 172.16.3.0/24 can setup the tunnel. I don't have the NAT disabled on the Community and the gateway and router have routes setting up for routing purposes, I don't think this is a routing issue.

I captured traffic with the wireshark from the outside interface eth0 (See the topology above), and I forced traffic through the tunnel with the PC 10.1.1.10, but nothing happened, please see below the packets:

Source NAT works fine, but I cannot setup the tunnel, why this happen?

What am I doing wrong? What is left to do?

Thanks in advanced

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Authority
Authority

Hello Luis,

as I understand your traffic capture is from eth0 and this is the external interface of your firewall.

If you did the capture with tcpdump you should never see the NATed packet on eth0, the packet should be decrypt.

You should add net 10.1.1.0/24 or the one host 10.1.1.10 to your local encryption domain on the CheckPoint gateway.

And in the rulebase you too need to allow this net to pass th VPN.

Wolfgang

View solution in original post

0 Kudos
3 Replies
Vladimir
Champion
Champion

Try using Dead Peer Detection. It should keep the tunnel up.

VPN Site-to-Site with 3rd party Scenario 5.

0 Kudos
Wolfgang
Authority
Authority

Hello Luis,

as I understand your traffic capture is from eth0 and this is the external interface of your firewall.

If you did the capture with tcpdump you should never see the NATed packet on eth0, the packet should be decrypt.

You should add net 10.1.1.0/24 or the one host 10.1.1.10 to your local encryption domain on the CheckPoint gateway.

And in the rulebase you too need to allow this net to pass th VPN.

Wolfgang

0 Kudos
Vladimir
Champion
Champion

I see that you have ARP traffic from 10. network on your external Check Point interface's packet capture.

If you are building this environment in GNS, beware:) some weirdness is expected.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events