This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Henrik_J
Contributor
a month ago

Route Based VPN Network SA no route

Hello!

We are having performance issues with a VPN tunnel solution up to Azure.

So we thought about setting another tunnel up so we can lab / troubleshoot on a designated test network.

Weirdly enough, when the new tunnel was set up (route based), we saw an SA negotiated between one random on prem network and one random Azure network.

This affected production traffic.

What's even weirder, is that when I issued netstat -arn as well as show route in gaia, there were no routes pointing ot the new VPNT-interface, nor had BGP gone up.

BGP is strictly configured with export and import route maps as well, but the neighborship was never formed, nor any routes installed.

I will look into this more tomorrow, but from my understanding, the same VNG was used on the Azure end.

So my question being .... if the Azure VNG initiated an SA between on prem-network A and Azure Network B.

Would Check Point accept that?

In the VPN Community, we have set up One VPN Tunnel per GW, it's also a seperate VPN Community than the other tunnel.
The VPN Domains on both ends have been set to empty groups.

Anyone seen anything similar ?
Anyone can explain how these SAs even formed even without routes being in place?

0 Kudos
5 Replies
emmap
Employee
Employee
a month ago

If you have empty encryption domains on the gateways in the community and this is happening then I would suggest that this would need some VPN debugging etc to get to the bottom of it. TAC can assist with that. 

0 Kudos
the_rock
Legend
Legend
a month ago

See if the link I made about this last year helps. Im fairly familiar with aws and azure vpn tunnels, since I must have done close to 50 of them : - )

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

0 Kudos
Henrik_J
Contributor
a month ago
In response to the_rock

Thank you!

I had time today with the customer to investigate further.

From what I saw from the logs, it looks like Azure was (is) trying to establish the tunnel constantly.
It seems that there was a misconfiguration on the Azure end stating that there some "remote networks" (on prem) behind this new VPN tunnel.

We are setting up a maintenance window to investigate this further, but what I think is happening, is that Azure is actively trying to form SAs towards these on-prem networks as they are defined as remote networks.

While Check Point seems to gladly agree, even if there are no routes in place.

So seemingly peers can affect the SA negotiation like this.

I'll get back once we've tested this more thoroughly.

0 Kudos
the_rock
Legend
Legend
a month ago
In response to Henrik_J

Ok, got it! Well, its worth trying on CP end, something like below:

say Azure end is, as an example 10.10.10.0, you can add route in web UI to 10.10.10.0/24 using VTI as DG, just select the right interface. 

Andy

0 Kudos
the_rock
Legend
Legend
a month ago

Also, forgot to mention, for what is worth, I would always use numbered VTIs, as I found with unnumbered ones, it usually works way better if BGP is involved through the tunnel.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events