This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vanesa_Benito_O
Contributor
‎2024-06-09 06:10 AM

Publishing an Internet service accessible through a site-to-site VPN

Hello everybody

I'm writing this post in the hope that someone has experienced the same issue. I'm trying to publish a service on the internet; the service is behind a site-to-site VPN that connects two Check Point clusters. The issue is that the request reaches the device, performs the destination NAT correctly, but the traffic is not being sent through the VPN.  

In the following schema could understand better the connection that i need to realize. The external ip is static.

 
 

Public Access.png

 

Based on this, i create the following in the Internet Firewall.

1. A Rule that allows communication between External IP and Public IP.

2. A NAT rule that converts the Public IP into Internal IP address.

3. In the VPN community (Both firewalls are check point managed by the same smart-1), i add the External IP address in the local domain of internet firewall.

4. And finally I have installed policy in the both firewalls, but the traffic doesnt go trough the VPN, that is currently working with other internal connections.

I have tried to perform a FW monitor and I only see the i packet, but in the smart monitor appears the initial connection from External IP to Public IP and the NATed Destination (Internal IP)

I think the issue is the internet firewall doesnt identify this traffic as VPN traffic

I dont know if i am making any mistake... any ideas?

Thank you in advance!

0 Kudos
11 Replies
the_rock
MVP Platinum
MVP Platinum
‎2024-06-09 06:29 AM

Did you make sure encryption domains are correct?

Andy

Best,
Andy
0 Kudos
Vanesa_Benito_O
Contributor
‎2024-06-09 08:11 AM
In response to the_rock

Yes, the VPN works correctly, I just have added the external IP in the VPN range of internet firewall with the objetive the firewall send this traffic through VPN but without successful.

The rest of connections in the same VPN works correctly 😞

the_rock
MVP Platinum
MVP Platinum
‎2024-06-09 08:27 AM
In response to Vanesa_Benito_O

Can you send the log of the traffic you are referring to? Just blur out any sensitive data.

Also, see if any of below cases may apply, as I have a gut feeling they might...specially case 3

Andy

 

https://support.checkpoint.com/results/sk/sk108600

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-10 07:52 AM

In a domain-based VPN, the decision to encrypt is based on the source IP being included in the Encryption Domain.
Since I assume you have not included the entirety of the Internet in your encryption domain for this "Internet Gateway," it will not choose to encrypt the traffic to this external IP.
This is, therefore, expected behavior.

A route-based VPN would probably be a better use case for this.

 

(1)
Vanesa_Benito_O
Contributor
‎2024-06-10 08:00 AM
In response to PhoneBoy

Hi, The external ip is always the same, i dont include the entirety of internet but I include that external IP, so the traffic should be routed trought the VPN...

 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-06-10 08:02 AM
In response to Vanesa_Benito_O

I see what Phoneboy is saying about route based VPN, makes sense to me. I checked this for few customer we did this for and works perfectly.

Andy

Best,
Andy
0 Kudos
Vanesa_Benito_O
Contributor
‎2024-06-10 01:14 PM
In response to the_rock

Yes, I know, but this VPN is part of a star community, and change this vpn mode have a high impact. If its possible i would like to solve it using the actual VPN community.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-10 11:21 AM
In response to Vanesa_Benito_O

I thought people were connecting to an external IP that was translated to an internal IP.
Instead, it's a specific external IP that's connecting to an internal IP (via NAT)...got it.

If I recall correctly, we do not include host objects in the calculation for Encryption Domain.
Instead of creating a host object, try creating a Network object (with a /32 subnet mask) and use that in the Encryption Domain instead.

0 Kudos
Vanesa_Benito_O
Contributor
‎2024-06-10 01:34 PM
In response to PhoneBoy

I havent heared about it, but I have tried and still not working :(.

Its any way to check the negotiated SA, not the ID... I want to check somehow if the external ip added in the encyption domain is really included.

 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-06-10 03:07 PM
In response to Vanesa_Benito_O

You can do vpn tu list ike or vpn tu list ipsec (just type vpn tu lis (wrong spelling), but it will give all the options)

Did you verify 100% that IP is indeed included in the enc domain?

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-10 03:17 PM
In response to Vanesa_Benito_O

Probably best to debug: https://support.checkpoint.com/results/sk/sk180488 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events