Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Serhii_Yaholnyt
Contributor

Route Injection Mechanism and its features(bugs?)

Hi all. I am trying to configure RIM in Site-to-Site VPN. I have a remote peer with VPN domain 10.248.0.0/24. I am trying to advertise remote peer's VPN domain to local OSPF. I have enabled Route Injection Mechanism in my VPN community and got such a result:

S 0.0.0.0/0 via 10.0.1.2, eth0, cost 0, age 8119
C 10.0.1.0/24 is directly connected, eth0
K 10.248.0.1/32 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.2/31 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.4/30 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.8/29 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.16/28 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.32/27 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.64/26 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.128/29 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.136/30 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.140/32 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.142/31 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.144/28 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.160/27 via 10.0.1.59, eth0, cost 0, age 559
K 10.248.0.192/26 via 10.0.1.59, eth0, cost 0, age 559
C 10.249.0.0/24 is directly connected, eth2
C 127.0.0.0/8 is directly connected, lo

I can redistribute these routes to OSPF but why Checkpoint shows all these networks instead of 10.248.0.0/24?
To reduce number of routes I have agregated them to a 10.248.0.0/24 and redistributed routes to OSPF from agregation. But on my Checkpoint gateway agregated route has a 'is a reject route' description:

S 0.0.0.0/0 via 10.0.1.2, eth0, cost 0, age 8873
C 10.0.1.0/24 is directly connected, eth0
K 10.248.0.1/32 via 10.0.1.59, eth0, cost 0, age 40
K 10.248.0.2/31 via 10.0.1.59, eth0, cost 0, age 40
K 10.248.0.4/30 via 10.0.1.59, eth0, cost 0, age 40
K 10.248.0.8/29 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.16/28 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.32/27 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.64/26 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.128/29 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.136/30 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.140/32 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.142/31 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.144/28 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.160/27 via 10.0.1.59, eth0, cost 0, age 41
K 10.248.0.192/26 via 10.0.1.59, eth0, cost 0, age 41
A 10.248.0.0/24 is a reject route
C 10.249.0.0/24 is directly connected, eth2
C 127.0.0.0/8 is directly connected, lo

What does it mean? Is such work of RIM correct? It looks very strange...

0 Kudos
5 Replies
Serhii_Yaholnyt
Contributor

Today I tried to change network for VPN domain of a remote peer to 192.168.7.0/24 and RIM worked correctly:
route table on Check Point:
S 0.0.0.0/0 via 10.0.1.2, eth0, cost 0, age 79689
C 10.0.1.0/24 is directly connected, eth0
C 10.249.0.0/24 is directly connected, eth2
C 127.0.0.0/8 is directly connected, lo
K 192.168.7.0/24 via 10.0.1.59, eth0, cost 0, age 985

route table on OSPF router:
S 0.0.0.0/0 via 10.0.1.2, eth0, cost 0, age 1098256
C 10.0.1.0/24 is directly connected, eth0
O E 10.249.0.0/24 via 10.0.1.169, eth0, cost 2:0, age 62247, tag 0x00000000
C 127.0.0.0/8 is directly connected, lo
O E 192.168.7.0/24 via 10.0.1.169, eth0, cost 2:0, age 1042, tag 0x00000000

But when I am changing VPN domain back to 10.248.0.0/24 issue replicates. I have no idea what is going on...

0 Kudos
PhoneBoy
Admin
Admin

Is 10.248.0.0/24 on your gateway anywhere or configured statically in your routing table?
0 Kudos
Serhii_Yaholnyt
Contributor

I had an interface in this subnet but before establishing tunnel I turned it off and deleted IP address.

0 Kudos
PhoneBoy
Admin
Admin

There is probably a vestige of that interface information in the configuration somewhere that may be causing this.
0 Kudos
Fernando_Hagels
Participant

Hi:

 

by the way... does your gateway has configured the ip address 10.248.0.141?? 

 

if so....  your problem is around here:

 

By default RIM excludes the IP interface from the kernel routes... UNLESS you activate this feature:

 

RIM-advanced-properties.jpg

 

Hope this help...

 

 

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events