This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Equipe_Reseau2
Participant
‎2019-09-18 05:25 AM

Route-based VPN issue with DAIP third party device (Cisco 1921)

Hello,

I've configure one of my CP cluster to do route-based VPN instead domain-based.

A ticket is open but it seems CP don't really understand the issue.

 

So my configuration is:

- Cluster CP (OpenServer) R80.10 Take 214

- Cisco 1921 IOS 15.5 (4G modem with IPSec support APN/public IP)

 

My need is a route-based VPN between my Cluster and this router. 

My issue is: all is working fine if i set the public IP for this third party device, GRE over IPsec is working fine. If i set this object in DAIP, with wan interface configured as Dynamic IP in its topology, IPsec tunnel is up but there is no GRE traffic inside. 

On the CP log tracker, the "VPN peer Gateway" field have the right name (rt-lte-xxx) and public IP when i set public IP on the object, but in DAIP mode, only 0.0.0.19 is visible, nothing else.

I think Checkpoint can't retrieve the object name/dynamic IP address when packet is routing thought VTI interface.

Anyone here is able to route-based VPN trafic with Third party object in DAIP mode?

 

Thanks. 

 

4 Replies
PhoneBoy
Admin
Admin
‎2019-09-19 07:43 PM

I assume if you're doing DAIP that you're authenticating with certificates.
Have you done any debugging or opened a TAC case?
Equipe_Reseau2
Participant
‎2019-09-19 11:06 PM
In response to PhoneBoy

Hi,

Yes i use certificate, it works fine. As i explain, if i set the third party device on public fixed IP, it works fine.

I had only one session with Checkpoint support but the technician (couldn't be an engineer), first told me that GRE is not supported by Checkpoint, he don't know the route-based VPN is IPsec over GRE. 

IPsec debug don't give anything as this layer works fine.

If you have some command for debugging GRE in Checkpoint, i take it !

 

Thanks.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2019-09-20 12:00 AM
In response to Equipe_Reseau2

This is documented in sk92845: Can users create a GREtunnel on Gaia OS?

 (but see also sk90060: GREtunnel stops working inside a Site-to-Site VPN tunnel established with Check Point clust...

and sk157893: Check Point recommendations for tunneling through IPsec instead of GRE)

The main GRE performance disadvantages can be found in sk32578: SecureXL Mechanism and sk105119: Best Practices - VPN Performance.

 

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Equipe_Reseau2
Participant
‎2019-12-17 06:39 AM
In response to G_W_Albrecht

Update: a TAC is open since September, the issue has not been understood by level 1 technicien during more than two month, an escalation was impossible, i was upset...
Now, after 3 month, i received a 1st fix, doesn't worked. I've done a lot of debug with script provided by CP, i'm waiting some news...
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events