Create a Post
Showing results for 
Search instead for 
Did you mean: 

IPSec S2S: NON-RFC1918 network behind tunnel endpoint

Hello Folks,

the following questions may be pretty simple, but I'm kind of struggling to figure out a "lowest common denominator" for googling this subject.

My setup:

I have an IPSEC tunnel between a Check Point 1430 (see below) and an interop device. The remote site is not under my control and uses a non-RFC1918 network behind the remote tunnel endpoint:

( [my CP] ---WAN-IP---===== ipsec ====---WAN-IP---[rem. INTEROP] (NON-RFC1918 as private network)

I just configured this non-RFC network (a public /24 ip subnet) as (only) part of the encryption domain.

  • The tunnel is active.
  • Traffic (e.g. icmp) can be sent from remote site to my site and echo-reply reaches the remote site.
  • No traffic can be initiated from my site to the remote site (no-reply) - tunnel still active.

My assumption:

My assumption is that Check Point just sees traffic for a public network and routes it to an interface with a public ip address or via default route, but not into the tunnel. 

My questions:

  • Is this assumption somehow correct? If not - how is it done?
  • show route all does not show any routes for VPNs (networks behind tunnels). This seems to be normal for CP. Is there another command for viewing routes in conjunction with VPN sites or how is this thought/ done?

Thanks in advance.

Appliance:Check Point 1430 Appliance
Security Management:Locally managed
Version (Firmware):R77.20.40 (990171107)
0 Kudos
2 Replies

VPN routing happens in the kernel, and it's not going to show up in the routing table unless you're using route-based VPNs.

You can use the CLI command vpn tu to see what tunnels are actually up and active.

The fact you're able to receive VPN traffic suggests at least part of the configuration is right.

My guess is that the traffic being NATted is also being subject to address translation out the external interface.

Since that IP is not likely in the encryption domain configuration on the remote end, the traffic is being dropped.

In which case, you'll want to put in a manual NAT rule to disable NAT when connecting to that remote subnet.

0 Kudos

I'm not sure if I got you right, but I created a manual SNAT rule that hides traffic to the non-RFC1918 network behind the tunnel with an arbitrary address from the local network on my site. Things are flying.

Thanks for your input Dameon!


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events