Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Thiago_Mourao
Employee Alumnus
Employee Alumnus

How to configure VPN Remote Access on non-default Internet Link

Security Engineering Brazil

April, 2020

Version 02

 

Author:

Thiago Mourao, SE and Cyber Security Evangelist

 

Revision:

Henrique Moises, SE

 

Contents

How to configure VPN Remote Access on non-default Internet Link

Objective

Know Limitation and Requirements

Topology

Scripts

Step by Step

 

Objective

Configure Remote Access to respond for non-default Internet Link.

As default configuration, when the first packet arrives from the non-default internet link, gateway will check its routing table and will reply those packets using the default route and after that the packets will be sent to the interface where the default route is configured. In many cases, those packets will be blocked by the next hop due to Out of State (SYN-ACK without SYN) or due to ingress routing filter that will check that the source do not belong to that route/network.

PS: In a specific scenario this configuration might work with no further actions needed. In this scenario, the primary ISP link do not check Stateful Inspection or dot have Ingress Routing Filter to block spoofing/DDoS attacks, so in that case the security level is going to be lower, hence not recommended.

 

Know Limitation and Requirements

  • I have used static-route on this example instead of PBR that would be a more granular way to be done
  • I have used a wrapper for cprid_util created by @HeikoAnkenbrand  (HeikoAnkenbrand) on his article on Check Mates called “GAIA - Easy execute CLI commands from management on gateways” (https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/GAIA-Easy-execute-CLI-commands-fr...) to execute command on gateway from the SMS
  • For this PoC we assume that you already have configured a gateway with 2 (two) internet links where the first one is the default route and the second one is a backup link
  • For this PoC we assume that you already configured Remote Access VPN (IPsec or Mobile Access) to respond with the IP of the secondary internet link

 

Topology

In this lab we are using R80.40 on both Security Gateway and Manager, and they were virtualized on VMware Workstation 12.

Virtual Environment:

  • 1 x Check Point Gateway R80.40
  • 1 x Check Point Manager R80.40
  • 1 x Microsoft Windows Server 2012 R2
  • 1 x Windows 7 Ultimate
  • 4 x Virtual Routers (VyOS)

Host Environment:

  • 1 x Notebook (Windows Professional) with VMWare Workstation 12

NAT:

  • In this topology, Router RT_301 is doing source NAT FROM: 192.168.250.1 TO: 200.251.0.1

 

Topology.png

Scripts

FirstTimeSetup.sh

This script will prepare the environment to be run for the first time.

#!/bin/bash -f
source /opt/CPshrd-R80.40/tmp/.CPprofile.sh
#Script Directory
EXECDIR="/home/admin/VPNSecondaryLink"
#User that will Execute the Scripts and Cron Job
EXECUSER="admin"

echo "First time setup"
echo "Creating all files and Gaia configuration"

echo "Creating Directories"
mkdir $EXECDIR
mkdir $EXECDIR/log
mkdir $EXECDIR/tmp


echo "Creating Files"
touch $EXECDIR/CronJob_VPNSecondaryLinkCleanUp.sh
touch $EXECDIR/VPNSecondaryLinkCleanUp.sh
touch $EXECDIR/VPNSecondaryLink_alert.sh
touch $EXECDIR/log/CronJob_VPNSecondaryLinkCleanUp.sh.log
touch /var/log/VPNSecondaryLink_alert.log

echo "Creating Symbolic Links"
ln -s /var/log/VPNSecondaryLink_alert.log $EXECDIR/log/VPNSecondaryLink_alert.log
ln -s $EXECDIR/VPNSecondaryLink_alert.sh $FWDIR/bin/VPNSecondaryLink_alert

echo "Copying Scripts to $EXECDIR"
cp ./CronJob_VPNSecondaryLinkCleanUp.sh $EXECDIR/CronJob_VPNSecondaryLinkCleanUp.sh
cp ./VPNSecondaryLink_alert.sh $EXECDIR/VPNSecondaryLink_alert.sh

echo "Changing Owner and Group"
chown $EXECUSER:bin $EXECDIR/CronJob_VPNSecondaryLinkCleanUp.sh
chown $EXECUSER:bin $EXECDIR/VPNSecondaryLink_alert.sh
chown $EXECUSER:bin $FWDIR/bin/VPNSecondaryLink_alert.sh

echo " Changing Permission"
chmod 760 $EXECDIR/CronJob_VPNSecondaryLinkCleanUp.sh
chmod 760 $EXECDIR/VPNSecondaryLink_alert.sh
chmod 760 $FWDIR/bin/VPNSecondaryLink_alert.sh

echo "Lock Database Override"
clish -c "lock database override"
echo "Adding Daily Based Recurrence for CronJob_VPNSecondaryLinkCleanUp at Cron Job to 2:00am"
clish -c 'add cron job VPNSecondaryLinkCleanUp command "/home/admin/VPNSecondaryLink/CronJob_VPNSecondaryLinkCleanUp.sh >> /home/admin/VPNSecondaryLink/log/CronJob_VPNSecondaryLinkCleanUp.sh.log 2>&1" recurrence daily time 2:00'
echo "Saving clish configuration"
clish -c "save config"

 

VPNSecondaryLink_alert.sh

This Script will be called by the Track field of the  rule created in the SmartConsole, then the output is being parsed, creating the static route based on the source IP of the packet that hit the rule

#!/bin/bash -f
source /opt/CPshrd-R80.40/tmp/.CPprofile.sh
#Script Directory
DIR="/home/admin/VPNSecondaryLink"
#User that will Execute the Scripts and Cron Job
EXECUSER="admin"

#Jump to Script Directory
cd $FWDIR/bin

#Global Variable
gateway_ip="10.0.50.100"
secondary_gw="200.200.0.102"
raw_pbr_error=0
error_msg1="Error: Object Name pattern founded on multiple Host Objects"
error_msg2="Error: Static Route alreded configure"
error_msg3="Error: Rule Name do not match"
error_msg4="Error: Object not found on management Database"
error_msg5="Error: Route Already Inserted on CleanUp Script"

echo "#### Executing VPNSecondaryLink_alert at $(date -u) ####"
[ $raw_pbr_error -gt 0 ] || {

echo "Reading input from rule"
read input
#echo "Troubleshooting enabled"
#echo $input > $DIR/tmp/VPNSecondaryLink_alert_tr.log
echo "Parsing Source Object Name"
echo "Checking if Source is using Object Name"
raw_src_name=$(echo $input | sed -n 's/.* src: \(.*\); dst: .*/\1/p')
#echo "variavel raw_src_name=$raw_src_name"
echo "Checking if Source is using IP"
raw_src_ip=$(echo "$input" | grep -o -P '.{0,5}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)' | grep src | sed -n 's/^src: \(.*\)/\1/p' )
#echo "variavel raw_src_ip=$raw_src_ip"
firstocteto=$(echo "$raw_src_ip" | sed -n 's/\(^[[:digit:]]*\)\..*\..*\..*/\1/p')
#echo "variavel firstocteto=$firstocteto"
if [ -z $firstocteto ] || [ $firstocteto -gt 223 ]; then
echo "Cannot match with IP parsing... Trying to find IP on Management Object Database"
raw_src_ip=$(mgmt_cli -r true show objects limit 2 offset 0 order.1.ASC "name" in.1 "name" in.2 "$raw_src_name" order.2.DESC "objId" type "host" --format json | jq '.objects[]."ipv4-address"')
if [ -z $raw_src_ip ] ; then
echo $error_msg4;
raw_pbr_error=1;
exit 1;
elif [ $(echo "$raw_src_ip" | wc -l) -gt 1 ] ; then
echo $error_msg1;
raw_pbr_error=1;
exit 1;
else
echo "IP Founded"
raw_src_ip=$(echo "$raw_src_ip"| tr -d \");
echo "Source IP: $raw_src_ip"
fi
else
echo "IP has no object in Database, using IP from Log"
echo "Source IP: $raw_src_ip"
fi
echo "Parsing Destination Object Name"
raw_dst_ip=$eth1
echo "Destination IP: $raw_dst_ip"
echo "Check if Route already exist"
if [ $(/usr/local/bin/g_cli 10.0.50.100 show configuration static-route | grep "$raw_src_ip" | wc -l) -gt 0 ] ; then
echo $error_msg2;
raw_pbr_error=1;
exit 0;
else
touch $DIR/VPNSecondaryLinkCleanUp.sh
chmod +x $DIR/VPNSecondaryLinkCleanUp.sh
echo "Creating Routing for $raw_src_ip/32"
/usr/local/bin/g_cli $gateway_ip "set static-route $raw_src_ip/32 nexthop gateway address $secondary_gw on"
echo "Checking file VPNSecondaryLinkCleanUp.sh"
if [ $(cat /tmp/VPNSecondaryLinkCleanUp.sh | grep $raw_src_ip | wc -l ) -gt 0 ] ; then
echo $error_msg5;
raw_pbr_error=1;
exit 1;
else
echo "Adding new route to VPNSecondaryLinkCleanUp.sh"
echo "/usr/local/bin/g_cli $gateway_ip set static-route $raw_src_ip/32 off" >> $DIR/VPNSecondaryLinkCleanUp.sh
fi
fi
echo "#### End of Execution of VPNSecondaryLink_alert at $(date -u) ####"
echo -e '\n\n'
exit 1;
}

 

CronJob_VPNSecondaryLinkCleanUp.sh

This script will be executed by the Job called VPNSecondaryLinkCleanUp on Crontab to backup current VPNSecondaryLinkCleanUp.sh to save for historical purpose and run the current VPNSecondaryLinkCleanUp.sh to Clean Up the routing table every day.

#!/bin/bash -f
source /opt/CPshrd-R80.40/tmp/.CPprofile.sh
#Script Directory
DIR="/home/admin/VPNSecondaryLink"
#User that will Execute the Scripts and Cron Job
EXECUSER="admin"

#Jump to Script Directory
cd $DIR
touch $DIR/VPNSecondaryLinkCleanUp.sh
if [ $(cat $DIR/VPNSecondaryLinkCleanUp.sh | wc -l ) -gt 0 ] ; then
echo "Coping old VPNSecondaryLinkCleanUp to TMP Diretory for historical purpose"
cp $DIR/VPNSecondaryLinkCleanUp.sh $DIR/tmp/VPNSecondaryLinkCleanUp-$(date +%s).txt
echo "Executing VPNSecondaryLinkCleanUp.sh to CleanUp Routes"
$DIR/VPNSecondaryLinkCleanUp.sh
echo "Erasing Old VPNSecondaryLinkCleanUp.sh"
> $DIR/VPNSecondaryLinkCleanUp.sh
else
echo "Current VPNSecondaryLinkCleanUp.sh is already empty. No routes to be cleaned"
fi

 

Step by Step

  • Copy the 3 (three) scripts to the Manager Server (SMS)

Thiago_Mourao_1-1586956223939.png

  • Change permission of “FirstTimeSetup.sh”

Thiago_Mourao_2-1586956223941.png

[Expert@Management:0]# chmod 760 FirstTimeSetup.sh
[Expert@Management:0]# ls –l FirstTimeSetup.sh

  • Execute the “FirstTimeSetup.sh”

Thiago_Mourao_3-1586956223943.png

[Expert@Management:0]# ./FirstTimeSetup.sh

  • Check if CRON JOB was created

Thiago_Mourao_4-1586956223947.png

[Expert@Management:0]# more /var/spool/cron/admin

  • Create an Access Control Rule with the following pattern:

From: ANY

To: IP_of_the_Backup_Interface (My Example: 200.200.0.100)

Services: HTTP and HTTPS

Action: Permit

Track: Log / Alert:User Alert 1

Thiago_Mourao_5-1586956223952.png

Thiago_Mourao_6-1586956223952.png  Thiago_Mourao_7-1586956223953.png  Thiago_Mourao_8-1586956223953.png  Thiago_Mourao_9-1586956223954.png  Thiago_Mourao_10-1586956223955.png

Thiago_Mourao_11-1586956223955.png

Thiago_Mourao_12-1586956223957.png

  • Check the Alert Commands Parameters on Global PropertiesLog and AlertAlerts:
    • “Send user Defined alert no. 1 to SmartView Monitor”
    • “Run UserDefined script”
      • VPNSecondaryLink_alert >> /var/log/VPNSecondaryLink_alert.log 2>&1 

Thiago_Mourao_13-1586956223963.png

  • Creating a VPN on Remote Client using IP from the non-default interface (Ex.: Eth1 – 200.200.0.100)

Thiago_Mourao_14-1586956223970.png  Thiago_Mourao_15-1586956223977.png

Thiago_Mourao_16-1586956223982.png  Thiago_Mourao_17-1586956223987.png

Thiago_Mourao_18-1586956223992.png  Thiago_Mourao_19-1586956224001.png

  • Connecting to the VPN

Thiago_Mourao_20-1586956224011.png  Thiago_Mourao_21-1586956224018.png

  • Checking if Remote Client connected successfully and got Office Mode IP from the Pool

Thiago_Mourao_22-1586956224020.png

  • Checking access to internal resource (Ex.: Ubuntu Server 01)

Thiago_Mourao_23-1586956224045.png

PS: This page was created to check de IP address from Client

PPS: This is the server called Ubuntu Server 01 and its private IP is 10.100.0.101

  • Checking on the VPNSecondaryLink_alert.log file to see if the scripts are running

Thiago_Mourao_24-1586956224049.png

[Expert@Management:0]# tail –f log/VPNSecondaryLink_Alert.log

PS: There is a symbolic link on $EXECDIR/log/ VPNSecondaryLink_alert.log. The original file was created on /var/log/VPNSecondaryLink_alert.log

  • Checking the Behavior

You can see on fw monitor output that VPN Client started to send packets to 200.200.0.100 that arrived on interface Eth1 and the gateway Gw-01 responded those packets through interface Eth0. Due to Stateful Inspection on route RT_101, packets were drop and never reach the VPN Client.

Thiago_Mourao_25-1586956224054.png

When the script run a static route is inserted and then packets from gateway Gw-01 to the IP 200.250.0.1 started to be routed through interface Eth1.

Thiago_Mourao_26-1586956224056.png

After responding to TCP 80 (HTTP), visitor mode could be reached creating the site on the VPN Client.

Thiago_Mourao_27-1586956224059.png

  • Checking the new routing table on gateway

Thiago_Mourao_28-1586956224062.png

Gw-01> show configuration static-route

  • Running the Clean Up Script (CronJob_VPNSecondaryLinkCleanUp.sh)

Thiago_Mourao_29-1586956224063.png

[Expert@Management:0]# ./CronJob_VPNSecondaryLinkCleanUp.sh

 

5 Replies
_Val_
Admin
Admin

Great stuff, @Thiago_Mourao ! Well done!

0 Kudos
Thiago_Mourao
Employee Alumnus
Employee Alumnus

Thanks Loukine!
0 Kudos
Braden_Bersik
Participant

Could Policy-Based Routing be used to accomplish the same goal?

0 Kudos
KostasGR
Advisor

There is limitation between PBR and Remote Access VPN/S2S VPN...

0 Kudos
Martin_Hofbauer
Contributor
Contributor

Thank you for this nice set of scripts + documentation!

I found some flaws:
a) all provided scripts are not FW version independent:  use /opt/CPshared/5.0/tmp/.CPprofile.sh to  source the environment variables
b) FirstTimeSetup.sh : in this script you create a symbolic link to $FWDIR/bin/VPNSecondaryLink_alert
    but later on you  refer  to $FWDIR/bin/VPNSecondaryLink_alert.sh ( see lines with "chown" and "chmod")

c) /usr/local/bin/g_cli (from Wolfgang) does not find all gateway IPs (line range too narrow with grep, Fix: use "grep -A 25"  )

d) there is no hint about ISP redundancy feature - typically customers are using this feature, too - when having two ISP links.

An additional objective for this subject is ,that users have only 1 VPN RA site created, but if the primary IP/link goes down, it should use the second link ( failover to the secondary link automatically) - like MEP is working, (when having more than 1 GW )

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events