Hi Vladimir,
Thanks for coming back.
The two Check Point gateways are both sitting on two ESXi's independent boxes on the same 'LAN'. I've given the two Check Point devices external IP's and they use RIP routing from the central Cisco router to communicate. So in effect the traffic comes out of the ESXi Ethernet Port, through a Cisco Switch, to a Cisco Router then get pushed back to a second Cisco Switch and two a separate ESXi box which hosts the other 'site' both on separate VLAN's. Therefore if I go out to the actual Internet its double nat'd (at CP and at Cisco Router Internet NAT) however to communicate between the Check Point devices only uses the NAT being done is by the CP GW's themselves which for the internal ranges I've disabled using this:
*This is a network group containing all internal IP ranges for both sites.
Yep both Open Server R80.10.
Both sides are managed using their own local Security Management Server. I know you can do the same type of thing using Interoperable Device however I guessed that if they are both CP's this is the preferred method? My understanding is that Interoperable Device is more for third party devices? Basically I'm trying to simulate what would happen if two companies both with CP GW's needed to bring up a VPN but had their own Admin and Management Server.
To further explain where I'm going, I'm in essence building a Lab to help me prepare for both my upcoming exams and real world situations. I plan on this lab to contain both a internally managed VPN (which I have setup and works perfectly), externally managed CP VPN and a third party Interoperable Device VPN which I plan to use a Juniper SRX to get this up and running. So four sites in total, I have ClusterXL running on the main site with a primary and secondary Security Management Server. I know you have answered a number of my posts on here so far, starting to really get my head around most of it, so again thanks for all your help!
Thanks Again,
Charles
Thanks Vladimir,
I do most my drawings on a white board so I've just quickly knocked up this to hopefully give you a better insight:
Following information is setup on Site01 SMS using information I followed on Site to Site VPN R80.10 Administration Guide :
One thing I didn't fully understand on the guide is this line:
Does this mean to manually define the topology, obviously due to the nature of this setup you are not trusted to 'get' the topology so I done is manually is that correct?
Then I basically replicated this exact setup on Site03 but obviously imported the certificate from Site01 instead of its own Cert. I can show you that as well if it would help please let me know.
Many Thanks for your time once again,
Charles
Hey Vladimir,
Would that be these (sorry not 100% sure where the key exchange messages are..):
Interesting that they send to the destination of the MGMT internal IP or is that because this it the traffic from that IP range to that IP range trying to bring the tunnel up?
Thanks,
Charles
The "Define Topology" for the peer gateway on each site requires you to simply replicate opposite gateway's properties:
on the other site's "Externally Managed Gateway".
!!!Interface names are case sensitive!!!
Would not hurt to include it in the topology, but in the "Encryption Domain" properties on both sites you'll have to exempt it and specify either only your internal networks corresponding to each cluster or the group containing your internal networks.
Also, check at least one of the "Matching Criteria":
on both sides of the tunnel. IP Address seem to be the easiest option.
Just making that change now...
Strange logs keep appearing also like this:
What I find odd is that 1. its not NAT'in that traffic even though the whole 10.1.1.0 range is set to Auto which would make sense over the VPN but then 2. its not trying to send it over the VPN either...
Could these have something to do with it?
Thanks,
Charles
What are the rules in the policy for the site to site communication?
Just screenshot the policy and post it here.
As to NAT between sites, you have explicit:
I've got these rules and NAT on both sides:
And than pretty much exactly the same on the other side.
I used very similar rules as I did for my internally managed Mesh VPN.
Thanks,
Charles
The rabbit hole gets deeper.. Sorry I know I'm spamming you at the minute...
I setup an any any rule for CPD_AMON obviously not best practice but its a lab so...
Afterwards I got three Encrypted Logs:
Then I thought ah its comes up...
Then got an IKE failure no response from peer log:
I've obviously done something very wrong but can't figure out what..
Thanks,
Charles
Right... wasn't getting that before wonder why that certificate is wrong... got something to work on now at least!
Thanks
After some tinkering with the Cert (I guess in a real world you would have a root CA so these Cert's would be fine).. I now have this:
So I have a tunnel up and it appears to be working but SITE03-CP-GW01 shows as a tunnel and is not responding I don't really understand why or what this object is. I'm guessing that the Externally Managed VPN Gateway makes the object like a self contained VPN but either way that isn't working.
I'm also a bit confused by having to open up the CPD_AMON all over my security policy first I have to put it in my main policy access rules and then before my Stealth rule after the VPN came up to stop those rejected/drop logs from appearing constantly. Surely this is not right to have to open this up quite so much as it would be a security risk?
Thanks for all your help Vladimir and on a Saturday as well what a hero,
Charles
Just on SmartView Monitor on both sides I see the object as a VPN Tunnel stating its not responding still... little bit odd but not a massive problem..
Ok so I've removed all rules for CPD_AMON and disabled implied logging (forgot I turned that on Doh!) tunnel is still up and your right those rejected/denied logs have gone it is an implied rule or some sort.
Thanks Vladimir
"Obtain the certificate of the CA that issued the certificate for the peer VPN Security Gateways"
The issuer CA being peer's management server.
In my case:
Subject: CN=GW8010 VPN Certificate,O=SMS8010..bhska4
Issuer: O=SMS8010..bhska4
Not Valid Before: Tue Sep 19 13:51:38 2017 Local Time
Not Valid After: Mon Sep 19 13:51:38 2022 Local Time
Serial No.: 18621
Public Key: RSA (2048 bits)
Signature: RSA with SHA256
Subject Alternate Names:
IP Address: 192.168.7.31
To get the certs of the CAs on each side:
Add these to each peer's trusted CA list.
Just to be more clear...here a schematic of the architecture.... sorry but I have deleted some information from the schema
How you will configure the external gateway on dashboard for this configuration in order to permit also tunnel_test packets?
Should I need to configure the gateway with the public IP (80.x.x.x) or private/after nat IP (192.168.x.1)? I know that in the topology I should set the real IPs?
| User | Count |
|---|---|
| 6 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 2 | |
| 2 |
Tue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topThu 07 Nov 2024 @ 05:00 PM (CET)
What's New in CloudGuard - Priorities, Trends and Roadmap InnovationsTue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topTue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 19 Nov 2024 @ 12:00 PM (MST)
Salt Lake City: Infinity External Risk Management and Harmony SaaSWed 20 Nov 2024 @ 02:00 PM (MST)
Denver South: Infinity External Risk Management and Harmony SaaS
