- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Site to site - Encryption Domain Question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Site to site - Encryption Domain Question
Hi all,
I'm having a problem setting up a site to site with a remote peer. This is the last one of 6 we have moved over from our ASA to the firewalls. I've typed this from my phone, sorry for the basic formatting.
The specs of the site to site are:
- Remote gateway: 142.152.123.66
- Remote service over HTTPS: 142.152.123.67
- Local encryption domain: 192.168.199.48/28
- Access is required from our 10/8 internal network.
NAT Rule, SRC:10/8 DST:142.152.123.67 HIDE: 192.168.199.49
IKEv2 is negotiating ok.
The gateway is setup with per community domains. Tried per subnet and per gateway tunnel sharing.
Community:
- Local: Group 10/8 & 192.168.199.48/28
- Remote: 142.152.123.67
I have lab'd it up at home with the same IPs, apart from the remote peer, and it just works.
When I fw monitor the connection, I can see the packets go to the remote peer via my external interface, OE, over udp50 after the NAT.
The work fw sends the packet after NAT to the remote gateway over UDP500 through the external interface (O).
P.s. I have read every article on 3rd party vpns. Unless I'm not understanding the fault / resolution, I can't find the answer in there.
Could it have anything to do with the remote peer and remote endpoint both being on the internet and the IPs next to eachother (supernetting)?
Thanks in advanced
Rich
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sk108600 - scenario 3 might be relevant based on the NAT you've shown
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chris,
Thanks for the quick response.
I have read that article many times, but never picked up on:
- 3rd party devices may not include their external IP addresses in their VPN domain as opposed to Check Point Security Gateway.
Is there anyway to provide this? I don't see any errors in the logs. The remote peer has been quite rigid and only blamed our setup.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would suggest to contact TAC to get it resolved !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've got it working now, but I'll be truthful and admit I hadn't configured it correctly and fully understood how it works. This is what I observed.
Firstly, I didn't know their end was configured as the initiator only. This was different to my lab. When they initiated the connection, the traffic selectors weren't matching with what I had configured in the local encryption domain.
They are using policy based routing only. I had to set the community to use One VPN per subnet pair. Setting One VPN per gateway pair only offered the universal TS's for IKE Auth.
I didn't know about the Peer ID. The other s2s's didn't use it. I only found this out when using Strongswan in my lab. I sent them the peer id of the internal cluster IP and it seems to be working now.
Thankfully this was the last one of 6 s2s's moved from our ASA to CP.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ry configuring VPN Community | Tunnel Management | Per each pair of hosts.
