This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MladenAntesevic
Collaborator
‎2021-04-06 03:16 AM
Jump to solution

Both RAVPN and S2S VPN between the same pair of gateways

I have one unusual scenario where two gateways, lets say GW A and GW B, have established S2S VPN tunnel, but still I  have a requirement from some customers located behind GW A to have RAVPN connectivity to some servers located behind GW B. S2S VPN is running smoothly, but RAVPN could not be established. I tried to exlude HTTPS and IKE services from the S2S VPN community, but without any success. I checked the logs where I see GW B is rejecting the phase 1 from RAVPN saying:

Main Mode Failed to match proposal: Transform: AES-256, SHA1, Pre-shared secret, Group 2 (1024 bit); Reason: Wrong value for: Authentication Method

 

RAVPN is using different proposal than S2S and it seems that GW B cannot differentiate between IKE messages generated by GW A and between IKE generated by side-A customers since they are coming from the same public IP address.

I know this is quite unusual to have such scenario, but I am wondering is there some kind ow workaround have to handle such a situation?

0 Kudos
1 Solution

Accepted Solutions
Markus_Genser
Contributor
‎2021-04-06 03:43 AM
Jump to solution

Hello,

this is not as uncommon as you might think.

The main reason for the failing of the RA VPN is that the RA GW sees the IKE packet coming from the peer GW, which it knows is in a VPN community, and tries to create a new S2S tunnel.

Therefore it doesn't try to match the IPSec packet with the RA process and that's why the client connection fails.

In the cases I've encountered this, I took another free public IP on (in your case) GW A and created a hide NAT with this public IP Address for the client networks and the destination the RA GW B.

This way, the client RA VPN Traffic arrives on GW B with a different source IP as the S2S communities GW A and the RA VPN will be established.

 

Best regards,

Markus

View solution in original post

7 Replies
Markus_Genser
Contributor
‎2021-04-06 03:43 AM
Jump to solution

Hello,

this is not as uncommon as you might think.

The main reason for the failing of the RA VPN is that the RA GW sees the IKE packet coming from the peer GW, which it knows is in a VPN community, and tries to create a new S2S tunnel.

Therefore it doesn't try to match the IPSec packet with the RA process and that's why the client connection fails.

In the cases I've encountered this, I took another free public IP on (in your case) GW A and created a hide NAT with this public IP Address for the client networks and the destination the RA GW B.

This way, the client RA VPN Traffic arrives on GW B with a different source IP as the S2S communities GW A and the RA VPN will be established.

 

Best regards,

Markus

the_rock
Legend
Legend
‎2021-04-06 07:30 AM
Jump to solution

Just curious, what is the actual error on RA side? Does it even create a site or that fails as well?

0 Kudos
MladenAntesevic
Collaborator
‎2021-04-06 07:59 AM
In response to the_rock
Jump to solution

S2S VPN tunnel is forming OK, but RAVPN is not forming because RAVPN GW is trying to establish a new S2S tunnel as @Markus_Genser already described in details. I will test his proposal, I believe it is very good idea.

Markus_Genser
Contributor
‎2021-04-06 08:08 AM
In response to the_rock
Jump to solution

In a vpn debug on the RA/S2S GW, you can see an entry, that the public IP from the client RA connect belongs to a peer GW for a VPN community and it tries to establish a S2S tunnel.

That pointed me in the past to the conclusion that the RA GW misinterprets the RA connect with the S2S and lead to the workaround with the second hide NAT.

0 Kudos
the_rock
Legend
Legend
‎2021-04-06 08:13 AM
In response to Markus_Genser
Jump to solution

Ah ok, I see now what you are saying. One thing I find sort of odd is that I did exactly same config with 2 customers and did not see this issue at all. 

0 Kudos
MladenAntesevic
Collaborator
‎2021-04-06 10:10 PM
In response to the_rock
Jump to solution

In my logs I saw that RA GW is actually trying to setup another S2S as @Markus_Genser  explained.  Very nice idea to use hide NAT as a workaround. I will try it today and keep you posted.

0 Kudos
MladenAntesevic
Collaborator
‎2021-04-07 12:22 AM
In response to MladenAntesevic
Jump to solution

It is working, thanks @Markus_Genser 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events