This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
StefanBauer
Participant
‎2023-10-10 12:48 PM

NAT46 for IPv6 Tunnel

Hey guys,

we use R81.10. We have already establised a IPv6 tunnel between two Gaia gateways, because we have only a public IPv6 address on our 5G contract available. 

Basically it works fine with the tunnel, when we use IPv6 for communication. The bad thing is, that Check Point does not support IPv4 in IPv6 tunnels. That makes it nearly useless, because we have a lot applications who are not IPv6 ready - unfortunately.

We tried to translate the IPv4 addresses in IPv6, that we can pass the tunnel. On the peer gateway we nat the addresses from IPv6 in IPv4 addresses back. That would make IPv6 transparent for the client/server communication.

Client (v4/v6) -->| fw1 (v6) | ==(v6 Tunnel)== | fw2 (NAT64)| ---> Server (v4)

Nat46 and Nat64 works fine. On the fw1 Nat46 will executed, but the packets are not entering the tunnel. Is there a solution to prior the Nat rules before the VPN rules (Policy)? NAT66 works fine in the tunnel, but the destination IPv6 is already included in the Encryption Domain.

Thanks in advance, 

Best regards,

Stefan

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2023-10-10 02:07 PM

Did you happen to include in your IPv6 Encryption Domain the IPv6 version of your IPv4 addresses?

0 Kudos
StefanBauer
Participant
‎2023-10-10 10:47 PM
In response to PhoneBoy

Hi PhoneBoy,

thanks for the fast response. Yes, the IPv6 addresses are in included in the Encryption Domain. Do you have still any other idea?

Destination IPv4 - 192.168.1.105 (is only in normal Access Rule)

Destination IPv6 (NAT46) - 2003:cf:825:210::105 (is inlcuded in the Endryption Domain)

If i try to connect to the IPv6 address it works fine over the IPv6 tunnel.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-11 06:28 AM
In response to StefanBauer

I'm not talking about the destination encryption domain, I'm talking about the source encryption domain.
Is the result of the NAT46 translation included in the source encryption domain?

0 Kudos
StefanBauer
Participant
‎2023-10-11 07:27 AM
In response to PhoneBoy

Yes, the "Xlate (NAT)" source IP address is also in the source encryption domain.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-11 01:52 PM
In response to StefanBauer

Is this a domain-based VPN or a route-based VPN?
Possible that might work with a route-based VPN, but I suspect this is unsupported.
I would open a TAC case to get confirmation: https://help.checkpoint.com 

0 Kudos
StefanBauer
Participant
‎2023-10-13 11:08 AM
In response to PhoneBoy

TAC response:

I suspect that it may work with Route based VPN(VTI) but it is currently not supported per sk163313.
https://support.checkpoint.com/results/sk/sk163313

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-13 01:19 PM
In response to StefanBauer

That SK doesn't really say it's not supported...but it doesn't say it is, either.
However, trying Route-Based VPNs (if possible) seems like the only possibility.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events