This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SPM
Contributor
‎2019-12-23 04:16 AM

R80.30 routing issue with ospf and VPN

I have a deployment with two Sites, at each sites there is a checkpoint CP1 and CP2, which are connected by Site-to-Site VPN (Routed VPN, numbered vti).

Here is a simplified description:

Subnet1, Subnet2 <----> Switch1 <--ospf--> CP1 <------- Routed VPN, ospf -----> CP2 <--ospf--> Switch2 <---> Subnet3, Subnet4

 

CP1 have LAN address 192.168.1.1 (subnet1), CP2 have LAN address 172.16.1.1 (Subnet3)

All Subnets are in different VLANs and routable on switches.  There are corresponding vlan interfaces with .254 address on switches

 

This setup was working fine on R77.30.

But on R80.30 I have some weird routing issue.

 

I cannot access CP1 LAN address 192.168.1.1 from Subnet2 (192.168.2.0/24)

On CP1 I have static route to 192.168.2.0/24 subnet with lower rank then OSPF route to the same subnet

I verified that static route is Active, not OSPF

All firewall rules are in place. The issue not in that. I see that traffic is not blocked.

Investigating I found out following

 

  • If there is no tunnel between CP1 and CP2, and ospf between Switch1 and CP1 enabled, then no issue, I can access CP1 from Subnet2
  • If the tunnel between CP1 and CP2 working, but ospf between CP1 and Switch1 disabled, then there is also no issue
  • So as long as ospf between Switch1 and CP1 enabled, and VPN between CP1 and CP2 up I have that issue.
  • Disabling/Enabling ospf in VPN between CP1 and CP2 have no effect

 

I don’t understand how that is happening and why.

 

Investigating further, I stumbled on this:

CP1 have interfaces

eth0 – LAN (192.168.1.1)

eth2 – Internet

 

In both cases (when the issue exists and when not) commands

>Show route

#routed –n

ip route    

Shows correct routing table, thru correct interfaces (eth0) to Subnet2 (192.168.2.0/24) destination

 

>show route

S               192.168.2.0/24    via 192.168.1.254, eth0, cost 0, age 48031

 

#route -n

192.168.2.0   192.168.1.254 255.255.255.0   UG    0      0        0 eth0

 

#ip route

192.168.2.0/24 via 192.168.1.254 dev eth0 proto 7

 

But command   #ip route get 192.168.2.0/24 shows when no issue

192.168.2.0 via 192.168.1.254 dev eth0 src 192.168.1.1

 

And when routing issue

192.168.2.0 via 192.168.1.254 dev eth2 src 192.168.1.1

 

So basically it is showing that it will be sending packets thru eth2 not eth0.

Why ??  from where the hell it comes from

the only route that is should be thru eth2 is static default route to ISP gateway

 

 

To get more confused when issue exists I can easily access Internet resources from Subnet2,

And I can connect by VPN to CP1 (I have it configured)  and access computers in Subnet2

So this routing issue only affects packets that is coming from CP1 itself and does not affect packets that is just passing thru

 

If look at CP2 from Subnet4  the issue is the same

 

Any ideas what is going on.  

0 Kudos
2 Replies
Maarten_Sjouw
Champion
Champion
‎2019-12-23 10:11 AM

Keep in mind that the VPN domain overrides the routing table, so be sure to set those correct for each FW.
It really sounds like you have network 192.168.2.* in the remote VPN domain.
Regards, Maarten
0 Kudos
SPM
Contributor
‎2019-12-23 03:17 PM
In response to Maarten_Sjouw

I have a Routed VPN, not Domain based VPN. So VPN Domain just an empty group.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events