Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RichGrant
Participant

Site to site - Encryption Domain Question

Hi all,

I'm having a problem setting up a site to site with a remote peer. This is the last one of 6 we have moved over from our ASA to the firewalls. I've typed this from my phone, sorry for the basic formatting.

The specs of the site to site are:

  • Remote gateway: 142.152.123.66
  • Remote service over HTTPS: 142.152.123.67
  • Local encryption domain: 192.168.199.48/28
  • Access is required from our 10/8 internal network.

NAT Rule, SRC:10/8 DST:142.152.123.67 HIDE: 192.168.199.49

IKEv2 is negotiating ok. 

The gateway is setup with per community domains. Tried per subnet and per gateway tunnel sharing.

Community:

  • Local: Group 10/8 & 192.168.199.48/28
  • Remote: 142.152.123.67

I have lab'd it up at home with the same IPs, apart from the remote peer, and it just works.

When I fw monitor the connection, I can see the packets go to the remote peer via my external interface, OE, over udp50 after the NAT.

The work fw sends the packet after NAT to the remote gateway over UDP500 through the external interface (O).

P.s. I have read every article on 3rd party vpns. Unless I'm not understanding the fault / resolution, I can't find the answer in there.

Could it have anything to do with the remote peer and remote endpoint both being on the internet and the IPs next to eachother (supernetting)?

Thanks in advanced

Rich

 

 

 

0 Kudos
5 Replies
Chris_Atkinson
Employee Employee
Employee

sk108600 - scenario 3 might be relevant based on the NAT you've shown 

CCSM R77/R80/ELITE
0 Kudos
RichGrant
Participant

Hi Chris,

Thanks for the quick response. 

I have read that article many times, but never picked up on:

  • 3rd party devices may not include their external IP addresses in their VPN domain as opposed to Check Point Security Gateway.

Is there anyway to provide this? I don't see any errors in the logs. The remote peer has been quite rigid and only blamed our setup.

 Thanks

 

 

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I would suggest to contact TAC to get it resolved !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
RichGrant
Participant

I've got it working now, but I'll be truthful and admit I hadn't configured it correctly and fully understood how it works. This is what I observed.

Firstly, I didn't know their end was configured as the initiator only. This was different to my lab. When they initiated the connection, the traffic selectors weren't matching with what I had configured in the local encryption domain.

They are using policy based routing only. I had to set the community to use One VPN per subnet pair. Setting One VPN per gateway pair only offered the universal TS's for IKE Auth.

I didn't know about the Peer ID. The other s2s's didn't use it. I only found this out when using Strongswan in my lab. I sent them the peer id of the internal cluster IP and it seems to be working now. 

Thankfully this was the last one of 6 s2s's moved from our ASA to CP.

Thanks 

 

 

 

 

Vladimir
Champion
Champion

Ry configuring VPN Community | Tunnel Management | Per each pair of hosts.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events