This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RichGrant
Participant
‎2023-02-18 01:23 AM

Site to site - Encryption Domain Question

Hi all,

I'm having a problem setting up a site to site with a remote peer. This is the last one of 6 we have moved over from our ASA to the firewalls. I've typed this from my phone, sorry for the basic formatting.

The specs of the site to site are:

  • Remote gateway: 142.152.123.66
  • Remote service over HTTPS: 142.152.123.67
  • Local encryption domain: 192.168.199.48/28
  • Access is required from our 10/8 internal network.

NAT Rule, SRC:10/8 DST:142.152.123.67 HIDE: 192.168.199.49

IKEv2 is negotiating ok. 

The gateway is setup with per community domains. Tried per subnet and per gateway tunnel sharing.

Community:

  • Local: Group 10/8 & 192.168.199.48/28
  • Remote: 142.152.123.67

I have lab'd it up at home with the same IPs, apart from the remote peer, and it just works.

When I fw monitor the connection, I can see the packets go to the remote peer via my external interface, OE, over udp50 after the NAT.

The work fw sends the packet after NAT to the remote gateway over UDP500 through the external interface (O).

P.s. I have read every article on 3rd party vpns. Unless I'm not understanding the fault / resolution, I can't find the answer in there.

Could it have anything to do with the remote peer and remote endpoint both being on the internet and the IPs next to eachother (supernetting)?

Thanks in advanced

Rich

 

 

 

0 Kudos
5 Replies
Chris_Atkinson
Employee Employee
Employee
‎2023-02-18 01:38 AM

sk108600 - scenario 3 might be relevant based on the NAT you've shown 

CCSM R77/R80/ELITE
0 Kudos
RichGrant
Participant
‎2023-02-18 02:12 AM
In response to Chris_Atkinson

Hi Chris,

Thanks for the quick response. 

I have read that article many times, but never picked up on:

  • 3rd party devices may not include their external IP addresses in their VPN domain as opposed to Check Point Security Gateway.

Is there anyway to provide this? I don't see any errors in the logs. The remote peer has been quite rigid and only blamed our setup.

 Thanks

 

 

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-02-19 01:21 AM
In response to RichGrant

I would suggest to contact TAC to get it resolved !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
RichGrant
Participant
‎2023-03-04 12:16 AM
In response to G_W_Albrecht

I've got it working now, but I'll be truthful and admit I hadn't configured it correctly and fully understood how it works. This is what I observed.

Firstly, I didn't know their end was configured as the initiator only. This was different to my lab. When they initiated the connection, the traffic selectors weren't matching with what I had configured in the local encryption domain.

They are using policy based routing only. I had to set the community to use One VPN per subnet pair. Setting One VPN per gateway pair only offered the universal TS's for IKE Auth.

I didn't know about the Peer ID. The other s2s's didn't use it. I only found this out when using Strongswan in my lab. I sent them the peer id of the internal cluster IP and it seems to be working now. 

Thankfully this was the last one of 6 s2s's moved from our ASA to CP.

Thanks 

 

 

 

 

Vladimir
Champion
Champion
‎2023-03-04 04:20 PM

Ry configuring VPN Community | Tunnel Management | Per each pair of hosts.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top