This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
zorolo
Explorer
‎2022-06-13 05:15 AM

Unnumbered tunnels with legacy configuration and no VIP defined in SmartConsole

Hi.

I have a cluster used by several site-to-site communities, route-based with VTI tunnels among them. Because VTIs need to use a Get Interfaces operation involving all interfaces in the cluster, not only the one to be created, I have two unnumbered tunnel interfaces appearing in the Network Management section. Those unnumbered VTIs were configured without using SmartConsole (R81 SMS) for cluster configuration, and had no VIP assigned (and both are working perfectly fine): they were just created by configuring the gateways (R80.30) to use the same physical interface as all the rest of VPN traffic as a proxy.

The interface has a /24 IP address, but when fetching the interfaces in SmartConsole, the system decides the unnumbered VTIs have a /32 instead. TAC advises not to delete the unnumbered interfaces from SmartConsole (which seems to have been what has been happening up until now whenever fetching interfaces was necessary to configure new numbered VTIs) and not to use the same IP address from the external interface (because of the different mask length).

TAC advises to use a loopback interfaces, which, aside being a bit of a hassle by itself, is not really an option for the previously configured interfaces.

Has anybody encountered a similar problem? Is TAC evaluation correct in that I have no other choice? It is true that getting rid of the unnumbered VTIs in SmartConsole will really be a problem, despite not being currently already there? Since I would really prefer to have them accounted for in SmartConsole, if not for any other reason to be able to configure Anti-Spoofing, how will the difference in mask length affect traffic, if I put the same address than the proxy interface's?  

 

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2022-06-13 08:52 AM

VTIs are basically point-to-point interfaces, which means they'd have a /32 as the netmask.
You should be able to confirm this in ifconfig output.
As such, a "get interfaces" would get this netmask.

That said, I'm not entirely clear what the actual problem is and what you're trying to achieve. 
Are you just trying to get the interfaces represented in SmartConsole correctly?

0 Kudos
Angel_Parra
Explorer
‎2022-06-14 12:02 AM
In response to PhoneBoy

I have to input a VIP for each interface. For both unnumbered vpnts, the proxy device is the same one. Let's say it is eth3 (all names and addresses are fictitious):

FW1 eth3: 100.1.1.1/24. FW2 eth3: 100.1.1.2/24.

That same interface is the one used to carry all VPN traffic. In the cluster object configuration, the VIP is 100.1.1.3/24:

VIP eth3: 100.1.1.3/24. FW1 eth3: 100.1.1.1/24. FW2 eth3: 100.1.1.2/24.

When fetching the interfaces, I get for those previously configured, already working, not-previously-appearing unnumbered VTIs members:

vpnt1 fw1: 100.1.1.1/32 vpnt1 fw2: 100.1.1.2/32

vpnt2 fw1: 100.1.1.1/32 vpnt2 fw2: 100.1.1.2/32

Apparently, as per the Check Point support case update, VIP for those interfaces should not be 100.1.1.3/32: "[c]onfiguring the VIP IP as [eth3] may cause traffic issues as the interface and the tunnel have different prefixes, for that we are able to configure the loopback interface as a proxy interface to the unnumbered VTI interface."

 

0 Kudos
zorolo
Explorer
‎2022-06-14 01:43 AM
In response to PhoneBoy

The post by Angel_Parra contains the details. I had some trouble posting myself the first time around, but I got it sorted. I'll repeat the information here. I'm really sorry about the mess.

I have to input a VIP for each interface. For both unnumbered vpnts, the proxy device is the same one. Let's say it is eth3 (all names and addresses are fictitious):

FW1 eth3: 100.1.1.1/24. FW2 eth3: 100.1.1.2/24.

That same interface is the one used to carry all VPN traffic. In the cluster object configuration, the VIP is 100.1.1.3/24:

VIP eth3: 100.1.1.3/24. FW1 eth3: 100.1.1.1/24. FW2 eth3: 100.1.1.2/24.

When fetching the interfaces, I get for those previously configured, already working, not-previously-appearing unnumbered VTIs members:

vpnt1 fw1: 100.1.1.1/32 vpnt1 fw2: 100.1.1.2/32

vpnt2 fw1: 100.1.1.1/32 vpnt2 fw2: 100.1.1.2/32

Apparently, as per the Check Point support case update, VIP for those interfaces should not be 100.1.1.3/32: "[c]onfiguring the VIP IP as [eth3] may cause traffic issues as the interface and the tunnel have different prefixes, for that we are able to configure the loopback interface as a proxy interface to the unnumbered VTI interface."

0 Kudos
PhoneBoy
Admin
Admin
‎2022-06-15 11:33 AM
In response to zorolo

Unless anyone has any specific experience otherwise, I would defer to the TAC's advice on this.

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2022-06-23 11:56 AM

Did your unnumbered VPN tunnel interfaces work on the cluster without a VIP configured? Or were you required to use a loop1 interface in your CLISH configuration, and use that as the VIP?  

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
zorolo
Explorer
‎2022-06-23 11:53 PM
In response to Duane_Toler

The unnumbered interfaces are working without cluster configuration. An interesting thing I recently found checking log messages after a reboot is that it complained about not finding it, but would be using the proxy interface IP address (as intended).

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2022-06-24 02:39 PM
In response to zorolo

Weird.  I setup a mini lab to test this.  Each gateway, in CLISH, has unnumbered interfaces (but I did choose "dev ethX" instead of "loopX").  In SmartConsole, I did "Get interface without topology" and it populated the vpnt1 interface as point-to-point (correct) but with IP of the "ethX" interface I chose in CLISH.  Plus, it demands me to configure a VIP for the vpnt1 interface (I can't close the interface list without doing so).

 

This is R80.40 HFA 158 everywhere (gateways and management).  I see yours is R81, tho, so... is this changed behavior?

 

I did get a successful VTI and IPsec session setup with an Libreswan gateway and its own VTI configuration (took some effort, but finally got it working).   I was able to ping across it, too.  Anyway, it works.  I did clusterXL_admin down on one gateway and watch the packets continue flowing.  Swapped active cluster members again, and the ping continues to flow.

 

The next question is:  what happens with multiple VTI interfaces on the same gateway, if they all get the same IP proxy interface?  Will that work, or do I need to have something else?  Loopback interfaces, then? 

 

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
zorolo
Explorer
‎2022-06-26 11:07 PM
In response to Duane_Toler

Having more than one VTI with the same physical proxy interface works fine (that is the scenario I described).

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2022-06-25 06:31 AM
In response to zorolo

Hello, 

In which setup Is suggested to use unnumbered vti?

0 Kudos
zorolo
Explorer
‎2022-06-26 11:08 PM
In response to CheckPointerXL

Sorry, I do not understand what you mean by setup.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events