This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Marco32
Contributor
Contributor
‎2023-03-17 11:13 AM

VPN and SmartLSM doesn't works

Hi there,

I'm trying in my LAB to create a VPN from a CheckPoint Gateway and several 1570R managed by SmartProvisiong.

Every SMB is connected to a SmartProvisiong of a CMA in my MDS and use a cellular interface to reach my network.

The CheckPoint Gateway is managed by the same CMA.

 

I followed SmartProvisioning Adming Guide, but I see only some tunnel_test packet and no other traffic.

I don't have any route to EncryptionDomain in CheckPoint Gateway even if I try to use permanent tunnel.

 

The EncryptionDomain of the Gateway is configured with a group containing a subnet.

The EncryptionDomain on SmartLSM Gateway is configured Manual (on Topology page) witha range of IP that are used as NAT.

 

Traffic coming to Gateway from it's EncryptionDomain is dropped as:

# fw ctl zdebug + drop | grep 20.20.20.100
@;389050;[vs_0];[tid_0];[fw4_0];fw_log_drop_ex: Packet proto=1 20.20.20.100:1 -> 10.10.10.9:0 dropped by fw_log_ip_routing_failure Reason: IP routing failed (ipout routing failure);

Can some one help me?


Regards

M

0 Kudos
5 Replies
the_rock
MVP Gold
MVP Gold
‎2023-03-17 11:32 AM

Run command -> ip r g 20.20.20.100 and see path its taking. Confirm first it is correct and if so, we can run fw monitor to verify.

Best,
Andy
0 Kudos
Marco32
Contributor
Contributor
‎2023-03-17 11:35 AM
In response to the_rock

#ip r g 20.20.20.10
20.20.20.100 via 10.176.2.200 dev eth1 src 10.176.2.90cache

 

#ip r g 10.10.10.9

RTNETLINK answers: Network is unreachable

 

20.20.20.100 is on Gateway side , 10.10.10.9 is on SMB

Traffic need to start from 20.20.20.100 to 10.10.10.9

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-03-17 11:41 AM
In response to Marco32

Can you draw simple diagram showing how this is configured and whats supposed to access what on the other side? Even basic paint diagram would help : - )

Cheers.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2023-03-17 11:50 AM
In response to Marco32

We need to find out WHY that IP shows unreachable, thats the key here.

Best,
Andy
0 Kudos
Marco32
Contributor
Contributor
‎2023-03-20 03:18 AM
In response to the_rock

Hi the_rock,

main issue seems that no route are present on Gateway and on SMB. I see tunnel_test from SMB to Gateway but VPN is marked as down.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events