Solved: Re: No ssh access to VPN peer outside IP

Vlad_Voronko · ‎2018-04-24

While testing a site-to-site VPN tunnel between CP80.10 and Cisco ASA, I noticed that right after I had configured the IPSec peer on CP80.10, I was no longer able to ssh to 10.0.14.101 (ASA outside IP) to manage the device. Then I looked into the logs on CP and found out that CP80.10 is trying to encrypt packets destined to ASA outside IP address 10.0.14.101. I wasn't able to find any info about this issue. Is there any way how I can disable or turn off this behavior? Screenshot of the logs in the attachment. Thanks.

G_W_Albrecht · ‎2018-04-24

I would suggest to consult sk25675 Customizing VPN Domain to exclude IP Address and allow clear text and sk108600 VPN Site-to-Site with 3rd party Scenario 3 !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

Marco_Valenti · ‎2018-04-24

quick way to solve it ? use excluded service and add ssh there , definition ip of the remote peer is part of the remote enc domain

Vlad_Voronko · ‎2018-04-24

Hi Marco,

I considered that option but I guess enabling it would prevent me from establishing an ssh session to the equipment residing behind the ASA (which only reachable over the VPN tunnel).

G_W_Albrecht · ‎2018-04-24

I would suggest to consult sk25675 Customizing VPN Domain to exclude IP Address and allow clear text and sk108600 VPN Site-to-Site with 3rd party Scenario 3 !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Vlad_Voronko · ‎2018-04-24

Günther and Brandon,

Thanks a lot I'll take a look into this.

Gomboragchaa · ‎2021-03-15

Hi @G_W_Albrecht ,

What about on Scalable Platforms (Maestro). SMS is R80.40 and GW is R80.30SP.

I've tried to edit crypt.def file on Management and GW as well. But still no success.

Before I used to this SK and it works perfect and SMS, GW both were the same version..

Do you have any clue?

G_W_Albrecht · ‎2021-03-15

Three hints:

- The "crypt.def" file has to be edited only on Security Management Server. The relevant code will be transferred to Security Gateway during policy installation. (sk98241)

- The "crypt.def" file has to be edited in plain-text editor (Vi on Unix-based OS ; Notepad/Notepad++ on Windows OS). (sk98241)

- R80.30SP should be included when $FWDIR/lib/crypt.def is edited and the policy installed. (sk98241)

If all these have been followed i would contact TAC !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Brandon_Pace · ‎2018-04-24

sk108600 Scenario 3 - Implied inclusion of Check Point Security Gateway's / 3rd party VPN Peer's interfaces

Vlad_Voronko · ‎2018-04-24

Brandon,

Thanks a lot I'll take a look into this.

Kim_Moberg · ‎2018-04-24

Did you try to exclude ssh in the vpn community? And then push policy?

Of course if you need to use ssh on Remote encryption domain, that might be a challange.

Best Regards
Kim

Are you a member of CheckMates?

No ssh access to VPN peer outside IP