This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Julius_Kaiser
Participant
‎2017-10-25 03:21 AM

IPSec S2S: NON-RFC1918 network behind tunnel endpoint

Hello Folks,

the following questions may be pretty simple, but I'm kind of struggling to figure out a "lowest common denominator" for googling this subject.

My setup:

I have an IPSEC tunnel between a Check Point 1430 (see below) and an interop device. The remote site is not under my control and uses a non-RFC1918 network behind the remote tunnel endpoint:

(172.16.10.0/24) [my CP] ---WAN-IP---===== ipsec ====---WAN-IP---[rem. INTEROP] (NON-RFC1918 as private network)

I just configured this non-RFC network (a public /24 ip subnet) as (only) part of the encryption domain.

  • The tunnel is active.
  • Traffic (e.g. icmp) can be sent from remote site to my site and echo-reply reaches the remote site.
  • No traffic can be initiated from my site to the remote site (no-reply) - tunnel still active.

My assumption:

My assumption is that Check Point just sees traffic for a public network and routes it to an interface with a public ip address or via default route, but not into the tunnel. 

My questions:

  • Is this assumption somehow correct? If not - how is it done?
  • show route all does not show any routes for VPNs (networks behind tunnels). This seems to be normal for CP. Is there another command for viewing routes in conjunction with VPN sites or how is this thought/ done?

Thanks in advance.

Appliance:Check Point 1430 Appliance
Security Management:Locally managed
Version (Firmware):R77.20.40 (990171107)
0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2017-10-25 05:51 AM

VPN routing happens in the kernel, and it's not going to show up in the routing table unless you're using route-based VPNs.

You can use the CLI command vpn tu to see what tunnels are actually up and active.

The fact you're able to receive VPN traffic suggests at least part of the configuration is right.

My guess is that the traffic being NATted is also being subject to address translation out the external interface.

Since that IP is not likely in the encryption domain configuration on the remote end, the traffic is being dropped.

In which case, you'll want to put in a manual NAT rule to disable NAT when connecting to that remote subnet.

0 Kudos
Julius_Kaiser
Participant
‎2017-11-01 08:15 AM
In response to PhoneBoy

I'm not sure if I got you right, but I created a manual SNAT rule that hides traffic to the non-RFC1918 network behind the tunnel with an arbitrary address from the local network on my site. Things are flying.

Thanks for your input Dameon!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events