- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi all,
I'm trying to set up Route based VPN between Checkpoint R77. 30 and Cisco router, so the traffic from box behind Checkpoint can get to the Internet over VPN through remote Cisco router.
My setup is very simple
First location:
L1 in VLAN 333 access mode (Linux box with IP 192.168.11.13/24, gw 192.168.11.1 (Cluster IP on Checkpoint)
Checkpoint cluster with outgoing interface VIP 109.233.62.20 (just for testing) on bond0 (nodes 109.233.62.21 and 22), default gw 109.233.62.1
--
192.168.11.1 on bond1.333 (vlan 333), nodes on 192.168.11.2 and 3.
Second location:
Cisco router 7606 with SPA-400/IPSec2G module.
External IP vlan 2: 185.15.210.41, def gw:. 40
Loopback0: 192.168.16.1/24
Tunnel1: ip unnumbered Loopback0
I followed a guide to do it with Policy based routing and tunnel interface (vpnt1) and it's setup to send all the traffic coming from 192.168.11.0/24 network on bond1.333 into vpnt1 interface. Now, I'm getting pings from L1 box to 192.168.16.1 just fine, so the tunnel works. NAT inside VPN community is disabled. However, when I try to do ping from L1 box towards 8.8.8.8 packets are not going into the tunnel, it seems. What I see in Log Viewer is that first ICMP packet is getting into the tunnel, however the second one is attempted to be sent unencrypted over bond1.333 interface.
I'm not sure why this is happening, are there any files needed to be edited? I tried to enable/disable implied rules, didn't make much difference.Tried to turn off SecureXL too, nope, didn't help either.
Not getting resolves (DNS) either,btw.
Any ideas?
Thanks in advance.
Best regards,
Michael
P.S. I edited original post and now both replies are gone.
Anyway, I fugured it out - in fw monitor packets are actually in correct order, so this is OK.
But why it didn't work out - the reason is that Cisco 7600 series do not have functionality of VRF NAT, which is needed in this case. I'll get some other router to play with, I believe this is where the problem is.
Thank you all for replying.
Have you tuned off CoreXL (not SecureXL)? Route-based VPN and CoreXL are incompatible in R77.30 and earlier; this limitation was rectified in R80.10 gateway.
--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com
A very good reason to try this in R80.10 instead of R77.30
I did try to disable CoreXL, rebooted both nodes, didn't change a thing.
R80.10 is definitely on a list for the future, however I cannot do it now.
What's your routing table on the gateway?
Only things the routing table says to go through the VTI will actually be encrypted.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY