This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
MVP Silver
MVP Silver
‎2023-06-15 02:50 PM

Problems with traffic through a S2S VPN

Hello, everyone.

I have a problem with a S2S VPN.

Currently, the traffic originating from our side, to the remote peer, is not "obeying" the security rule it has created.

The traffic is MATCHING a rule, which is almost at the end of the rulebase.

Real IP: 10.7.53.200
NAT IP: 172.26.15.151 (We don't want the remote end to know our REAL IP).
Remote End IP: 172.27.0.66

 

This image represents the actual rule that has been created for the VPN traffic.

VPN12.png

This other image represents the rule with which the traffic is currently MATCHING.

VPN13.png

This image represents the detail of a log.

VPN11.png

VPN111.png

Does anyone know why this is happening?
Why the traffic does not obey our security rule, if it is almost at the beginning of the rulebase?

We are testing the traffic, doing a Telnet to the destination on port 11443.

I would appreciate any comments that can help me to understand the problem.

Regards.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2023-06-15 03:13 PM

Have you confirmed 100% the relevant traffic is actually being encrypted (going through the VPN)?
That means:

  • Is the source IP of this traffic (before NAT) in the local encryption domain?
  • Is the destination IP of this traffic (before NAT) in the remote encryption domain?
  • Would that traffic be routed across the VPN community stated in the rule per the configuration?

The log entry you supplied is a simple "Accept" log, which suggests the traffic isn't encrypted (and thus not matching Rule 12).

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-06-15 03:31 PM
In response to PhoneBoy

Hello,

In my VPN DOMAIN, on my side.

I have added, both the REAL IP and the NAT IP.

VPN1123.pngVPN112.png


Currently the VPN is up in phase 1 and 2, but the traffic does not go through the rule that it really should.

Cheers

 

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-06-15 03:38 PM
In response to Matlu

Hello,

The traffic should travel through the VPN, but as I showed in the previous images, the traffic originating from IP 10.7.53.200, to IP 172.27.0.66, "simply" does not pay attention to the explicit rule created (Rule #12).

Traffic from IP 10.7.53.200 is routed to IP 172.26.15.151.

TLIST.png

The NAT rule is working fine.
What is not working well is the security rule.

The rule created is almost at the beginning of the rulebase, and I find it strange that the traffic does not match this rule.

Thanks for your comments.

0 Kudos
Matlu
MVP Silver
MVP Silver
‎2023-06-15 04:51 PM
In response to Matlu

A curiosity.

It is mandatory to have the Real IP, and the NAT IP, inside my "VPN DOMAIN"????

Currently I have both IPs inside my domain.

I am working with Manual NAT.

Greetings.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-15 05:05 PM
In response to Matlu

I don't believe the NAT IP needs to be there.
However, the fact the rule is not matching suggests you have a misconfiguration with the VPN.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-15 04:29 PM
In response to Matlu

Is the 172.27.0.66 configured as part of the remote encryption domain on YOUR gateway?
Is the relevant peer gateway included in the relevant VPN Community?

When you say the NAT rule is "working" how precisely did you confirm this outside of looking at the logs?
Can you see the actual traffic with a tcpdump or fw monitor?

Unless it's solved by the above, I suspect you're going to need assistance from the TAC: https://help.checkpoint.com 

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2023-06-18 02:52 PM

Are you able to try ike v1 ? Anyway an output with more than one IKE SA is not good, i would purge the tunnel

 

Ps please obscure sensitive data like peer ip

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events