Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Equipe_Reseau2
Participant

Route-based VPN issue with DAIP third party device (Cisco 1921)

Hello,

I've configure one of my CP cluster to do route-based VPN instead domain-based.

A ticket is open but it seems CP don't really understand the issue.

 

So my configuration is:

- Cluster CP (OpenServer) R80.10 Take 214

- Cisco 1921 IOS 15.5 (4G modem with IPSec support APN/public IP)

 

My need is a route-based VPN between my Cluster and this router. 

My issue is: all is working fine if i set the public IP for this third party device, GRE over IPsec is working fine. If i set this object in DAIP, with wan interface configured as Dynamic IP in its topology, IPsec tunnel is up but there is no GRE traffic inside. 

On the CP log tracker, the "VPN peer Gateway" field have the right name (rt-lte-xxx) and public IP when i set public IP on the object, but in DAIP mode, only 0.0.0.19 is visible, nothing else.

I think Checkpoint can't retrieve the object name/dynamic IP address when packet is routing thought VTI interface.

Anyone here is able to route-based VPN trafic with Third party object in DAIP mode?

 

Thanks. 

 

4 Replies
PhoneBoy
Admin
Admin

I assume if you're doing DAIP that you're authenticating with certificates.
Have you done any debugging or opened a TAC case?
Equipe_Reseau2
Participant

Hi,

Yes i use certificate, it works fine. As i explain, if i set the third party device on public fixed IP, it works fine.

I had only one session with Checkpoint support but the technician (couldn't be an engineer), first told me that GRE is not supported by Checkpoint, he don't know the route-based VPN is IPsec over GRE. 

IPsec debug don't give anything as this layer works fine.

If you have some command for debugging GRE in Checkpoint, i take it !

 

Thanks.

0 Kudos
G_W_Albrecht
Legend
Legend

0 Kudos
Equipe_Reseau2
Participant

Update: a TAC is open since September, the issue has not been understood by level 1 technicien during more than two month, an escalation was impossible, i was upset...
Now, after 3 month, i received a 1st fix, doesn't worked. I've done a lot of debug with script provided by CP, i'm waiting some news...
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events