Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dmitryfd
Explorer

VPN tunnel does not ping the address

Good afternoon friends.

Tell me please, I have checkpoint 1590 under local control. I set up a vpn tunnel with the address, the tunnel is active, but after that this address is not pinged and the tracert command does not work.
What else do I need to do to get access to the desired address.
Grateful for any help

0 Kudos
30 Replies
PhoneBoy
Admin
Admin

What is your precise configuration?
Please provide descriptions (with screenshots) and a basic network diagram.

0 Kudos
the_rock
Legend
Legend

We definitely need some more info...please provide IP in question, basic routing, config, maybe as @PhoneBoy asked, also network diagram would help (even something in MS paint).

Andy

0 Kudos
Dmitryfd
Explorer

My external address is (for example) 194.1.1.1, the tunnel is set from 86.1.1.1, the internal address of the desired network is 172.17.0.0 in the tunnel settings, on the other hand my network is 192.168.1.0. There is no ping. I turn off the tunnel - there is a ping on 86.1.1.1. I allow the addresses 86.1.1.1 and 172.0.0.0 in the policies - there is no ping.

0 Kudos
PhoneBoy
Admin
Admin

What shows up in the logs when you attempt to do this ping?
Have you done any troubleshooting with tcpdump and similar to see if traffic is actually being encrypted and sent to the remote end?

Precise configuration steps taken (with screenshots) would go a long way towards helping you solve the issue.

0 Kudos
Dmitryfd
Explorer

when I ping 172.17.0.172 - the log is empty.
if you can write the exact tunnel setup to get from the network 192.168.1.0 to 172.17.0.0?

0 Kudos
Dmitryfd
Explorer

I did everything in your link, but it still doesn't work.
I have in the device-routing section - when creating a new route, the next hop vti (tunnel) is not active.

this is normal?

0 Kudos
PhoneBoy
Admin
Admin

What is the remote end of the VPN in this case?
What precisely (with screenshots) have you configured on your end?
If you don't want to share this publicly, I recommend working with our TAC.
Also, for debugging, see: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Dmitryfd
Explorer

on my side, a tunnel is configured to address 194.1.1.1. its internal network is 172.17.0.0. On its side is my address 86.1.1.1. and my internal network is 192.168.0.0. In the tunnel settings, ipsec is specified - the tunnel is active.
But, there is no ping to the address 194.1.1.1, I turn off the tunnel - there is a ping.
In politicians allowed everything to the address 194.1.1.1. and 172.17.0.0.
What else needs to be done?

0 Kudos
Blason_R
Leader
Leader

I am sorry I have not looked up the entire configuration but are you trying to ping peer IP from your firewall which is establishing a VPN tunnel? And if so then you wont be able to as a design. You can probably excldue echo-request from the VPN community and try?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Dmitryfd
Explorer

my configuration

 

0 Kudos
Blason_R
Leader
Leader

Yes - It wont be able to ping peer IP address for VPN.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Dmitryfd
Explorer

why, please tell me the solution?

0 Kudos
Blason_R
Leader
Leader

As I said you can create a custom tunnel with crypt.def and exclude the peer IP since this is known and documented solution or exclude echo-request from tunnel but this way no one will be able to ping through tunnel.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
PhoneBoy
Admin
Admin

We automatically include the Peer IP as part of the encryption domain on our end.
It’s covered in scenario 3 here: https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eve...

If this SMB device is self-managed, you can apply the same fix.
However, getting it to be effective will mean making a change to the access policy or forcing it via the CLI (forget the exact command for this).

0 Kudos
the_rock
Legend
Legend

Just curious, what happens if you trace route to that IP? Does it even take any hops? If you say it works without VPN, can you send us the path you get?

0 Kudos
Blason_R
Leader
Leader

Yes that is right!! It never goes out. It drops the connection

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Dmitryfd
Explorer

I ask you to be condescending, I'm just starting to master checkpoint1590,

tell me what exactly I need to do to set it up, step by step?

0 Kudos
the_rock
Legend
Legend

Hey @Dmitryfd ,

No one is condescending, we are simply doing our best to help you. @Blason_R actually gave good suggestion. I believe he was referring to below article:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

But, can you please answer what I asked before if you dont mind? It would be good if we could see trace route to that external IP through the tunnel and when it works.

Andy

0 Kudos
Blason_R
Leader
Leader

@the_rockhas given the correct link and @Dmitryfd as I said unfortunately its not possible without those efforts. I am not sure how do you exclude the IP address from community the way we do it on mgmt server. I use to do the same way. exclude the echo-request from vpn community and then PING if that succeed then add it in community again.

Or here is one more trick. NAT the traffic going to PEER IP Address behind other IP and you should be able to ping to Peer IP like this

Lets suppose your encryption domain is 10.1.1.0/24

FW IP is 1.1.1.1

Peer IP is 2.2.2.2

Then nat one of the IP fro 10.1.1.0 like 10.1.1.100 behind 1.1.1.2 - Since now 1.1.1.2 and 2.2.2.2 is not a part of vpn tunnel you should be able to ping from encryption domain.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend

Good point indeed. Something slightly unrelated, but pretty cool feature in R81.20

Screenshot_1.png

0 Kudos
the_rock
Legend
Legend

Something came to my mind about this...apologies, I dont deal with those SMB appliances much, so forgive me for my ignorance, but I wonder if it gives you ability to create groups with exclusions that you can use as enc domain? If so, I have a good feeling that may work.

0 Kudos
Dmitryfd
Explorer

Gentlemens, unfortunately, my knowledge does not allow me to quickly and fully immediately implement all the tips.
Thank you for your help. I will study your answers.
Thanks again.

0 Kudos
the_rock
Legend
Legend

Message me, lets do quick remote, I will help you.

0 Kudos
Dmitryfd
Explorer

how can you connect?
maybe through anydesk?

0 Kudos
the_rock
Legend
Legend

I dont like using anydesk, sorry, not a trusting software for me. Zoom or webex is fine.

0 Kudos
Dmitryfd
Explorer

Do you offer video conferencing connection?

0 Kudos
the_rock
Legend
Legend

Why cant we simply do zoom or webex? We dont need video conferencing lol

0 Kudos
Dmitryfd
Explorer

provide a link to the webex-client?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events