This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
NorthernNetGuy
Advisor
‎2024-11-06 09:55 AM

VPN with source-NAT to 3rd party

I'm tryign to set up a VPN tunnel with a 3rd party and want to make sure i'm setting things up and understanding the checkpoint side correctly. The 3rd party provided us with a short list of subents that we can use for encryption domain, so we picked one and are opting to NAT to the desired IP range.

 

encryption domains are as follows (Example IPs):

Local Encryption domain:

Source Subnet: 10.10.1.0/28

Translated Source: 10.20.1.0/28 (using automatic NAT rules for the included host objects)

Peer encryption domain: 10.100.1.0/28

 

With the policy-based vpn (1 tunnel per subnet), do I need to include the original source and the translated source in our encryption domain? if so, does the 3rd party also need to have both included on their side too? and is there a way around this so that the tunnel will be formed without their need of including both?

 

Thank you!

0 Kudos
6 Replies
the_rock
MVP Platinum
MVP Platinum
‎2024-11-06 10:17 AM

I would say yes, you need both in the enc domain. Well, you can test without them including both on their end, but I doubt it may work. Depending on the error you get, you will have a pretty good idea if thats the issue.

Andy

Best,
Andy
Lesley
MVP Gold
MVP Gold
‎2024-11-06 10:32 AM

I would see both real IP and NAT pool in enc domain and the other side should only configure NAT pool. If they also have to add the real IP then there still could be overlap and the NAT is useless 🙂 

-------
Please press "Accept as Solution" if my post solved it 🙂
NorthernNetGuy
Advisor
‎2024-11-06 11:25 AM
In response to Lesley

I agree, I'm hoping thats the correct set up, otherwise I can't use NAT in this method.

I know I need to have the pre-nat IP in our encryption domain, as otherwise the traffic will not use the tunnel. Checkpoint flags the traffic as interesting for the tunnel before it is processed by NAT. 

My Concern is that if I include the pre-nat IP's in our encryption domain, and the 3rd party doesnt, then there might not be an exact match of proposed encryptions domains which could lead to issues. If this is the case then I'd need to find a workaround or different solution.

Right now I have the tunnel up but not getting bi-directional traffic. I also spotted a couple logs that indicated an error of " initial exchange: sending notification t peer: Invalid Key Exchange payload" and am awaiting further information from the 3rd party and have a maintenance call scheduled tomorrow.

the_rock
MVP Platinum
MVP Platinum
‎2024-11-06 11:27 AM
In response to NorthernNetGuy

You can also do basic vpn debug on CP side to see if errors are similar. Im fairly positive it would be related to phase 2.

Andy

Best,
Andy
0 Kudos
Networksecurit1
Explorer
‎2024-12-04 10:07 PM
In response to NorthernNetGuy

Did you get the resolution ?

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2024-11-06 11:12 AM

You need both in YOUR VPN domain on your gateway.  I would suggest using encryption domain per community for this.  The remote peer only needs to use your NAT translated IP/subnet in the VPN domain representing your site.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events