This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Serhii_Yaholnyt
Contributor
‎2019-04-22 05:06 AM

Route Injection Mechanism and its features(bugs?)

Hi all. I am trying to configure RIM in Site-to-Site VPN. I have a remote peer with VPN domain 10.248.0.0/24. I am trying to advertise remote peer's VPN domain to local OSPF. I have enabled Route Injection Mechanism in my VPN community and got such a result:

S 0.0.0.0/0 via 10.0.1.2, eth0, cost 0, age 8119
C 10.0.1.0/24 is directly connected, eth0
K 10.248.0.1/32 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.2/31 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.4/30 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.8/29 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.16/28 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.32/27 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.64/26 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.128/29 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.136/30 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.140/32 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.142/31 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.144/28 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.160/27 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.192/26 via 10.0.1.59, eth0, cost 0, age 559
C 10.249.0.0/24 is directly connected, eth2
C 127.0.0.0/8 is directly connected, lo

I can redistribute these routes to OSPF but why Checkpoint shows all these networks instead of 10.248.0.0/24?
To reduce number of routes I have agregated them to a 10.248.0.0/24 and redistributed routes to OSPF from agregation. But on my Checkpoint gateway agregated route has a 'is a reject route' description:

S 0.0.0.0/0 via 10.0.1.2, eth0, cost 0, age 8873
C 10.0.1.0/24 is directly connected, eth0
K 10.248.0.1/32 via 10.0.1.59, eth0, cost 0, age 40
K 10.248.0.2/31 via 10.0.1.59, eth0, cost 0, age 40
K 10.248.0.4/30 via 10.0.1.59, eth0, cost 0, age 40
K 10.248.0.8/29 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.16/28 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.32/27 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.64/26 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.128/29 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.136/30 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.140/32 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.142/31 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.144/28 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.160/27 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.192/26 via 10.0.1.59, eth0, cost 0, age 41
A 10.248.0.0/24 is a reject route
C 10.249.0.0/24 is directly connected, eth2
C 127.0.0.0/8 is directly connected, lo

What does it mean? Is such work of RIM correct? It looks very strange...

0 Kudos
5 Replies
Serhii_Yaholnyt
Contributor
‎2019-04-23 12:54 AM

Today I tried to change network for VPN domain of a remote peer to 192.168.7.0/24 and RIM worked correctly:
route table on Check Point:
S 0.0.0.0/0 via 10.0.1.2, eth0, cost 0, age 79689
C 10.0.1.0/24 is directly connected, eth0
C 10.249.0.0/24 is directly connected, eth2
C 127.0.0.0/8 is directly connected, lo
K 192.168.7.0/24 via 10.0.1.59, eth0, cost 0, age 985

route table on OSPF router:
S 0.0.0.0/0 via 10.0.1.2, eth0, cost 0, age 1098256
C 10.0.1.0/24 is directly connected, eth0
O E 10.249.0.0/24 via 10.0.1.169, eth0, cost 2:0, age 62247, tag 0x00000000
C 127.0.0.0/8 is directly connected, lo
O E 192.168.7.0/24 via 10.0.1.169, eth0, cost 2:0, age 1042, tag 0x00000000

But when I am changing VPN domain back to 10.248.0.0/24 issue replicates. I have no idea what is going on...

0 Kudos
PhoneBoy
Admin
Admin
‎2019-04-28 11:12 PM

Is 10.248.0.0/24 on your gateway anywhere or configured statically in your routing table?
0 Kudos
Serhii_Yaholnyt
Contributor
‎2019-05-01 11:25 PM
In response to PhoneBoy

I had an interface in this subnet but before establishing tunnel I turned it off and deleted IP address.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-05-02 10:54 AM
In response to Serhii_Yaholnyt

There is probably a vestige of that interface information in the configuration somewhere that may be causing this.
0 Kudos
Fernando_Hagels
Participant
‎2019-05-20 01:04 PM

Hi:

 

by the way... does your gateway has configured the ip address 10.248.0.141?? 

 

if so....  your problem is around here:

 

By default RIM excludes the IP interface from the kernel routes... UNLESS you activate this feature:

 

RIM-advanced-properties.jpg

 

Hope this help...

 

 

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events