Re: VPN between CP Module and 1430 behind NAT

Uwe_Poliak · ‎2017-11-08

Hi

I would like to setup a VPN between our HQ (a cluster of Checkpoint Open Servers R77.30) on one side and a Check Point Appliance 1430 on the other side. The 1430 is located behind a Provider Router with NAT.

The 1430 has the IP 192.168.100.50 on its WAN side. All traffic arriving at the public/fixed IP (1.2.3.4) of the provider router is directed to the 1430 behind.

Behind the 1430 I have some other networks from the range 10.64.0.0/16 on the LAN side.

Im am using the VPN community where this 1430 should be added to for approx. 12 other VPN connections (without NAT) which are working fine.

Our security management is reachable from the Gateway, Policies can be fetched and pushed and Security Management connection is green in the 1430 web configuration pages. It is also shown as green in the Smartcenter.

I have made the following settings:

General IP of the 1430: 192.168.100.50 (the IP of the WAN interface)

Topology: External 192.168.100.50, Internal 10.64.x.y with Topology Entry 10.64.0.0/16

NAT: [ ] Hide internal networks behind gateway's external IP (not set)

NAT > Advanced: [x] Add automatic translation rule .... (set)

Translation Method: Static

Translate to IP Address: The public fixed IP of the provider Router (1.2.3.4)

Install on gateway: on the CheckPoint Open Servers Cluster @ HQ

IPSec VPN > Link Selection > Locally managed VPN peers determine .... Always use this IP Address (set)

Statically NATed IP: The public fixed IP of the provider Router (1.2.3.4)

Outgoing Route Selection:

Operation system routing table

The routing on the HQ gateways to 10.64.0.0/16 are set pointing to the default gateway (provider router @ HQ).

I can see security associations between the Gateways on both sides, all looks good so far, but I can not send packages through the tunnel.

Can somebody help me out of this? Did I forget to configure something?

Kind regards

Uwe

PhoneBoy · ‎2017-11-08

I would perform a tcpdump on the 1430 to see if you are receiving IP Protocol 50 packets.

My guess is the provider router isn't forwarding them.

You will have to configure the router to forward this traffic.

Uwe_Poliak · ‎2017-11-08

Hi Dameon,

I have checked on the 1430 with

tcpdump ip proto 50

on the WAN port and see no single packet show up in the logs.

[Expert@VPNGW-XXX]# tcpdump -vv ip proto 50
listening on WAN, link-type EN10MB (Ethernet), capture size 68 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

I will discuss this with the provider how to fix this.

Thanks for the moment for your quick help!

Kind regards

Uwe

Uwe_Poliak · ‎2017-11-09

Hi,

now I found some settings in the provider router and can see packets arriving from the HQ side on the 1430.

Now the problem is, that the response is not delivered back to the HQ.

fwaccel off

fw monitor -e "accept [9:1]=50;" -p all

shows me:

[vs_0][fw_0] WAN:i0 (IP Options Strip (in))[152]: <IP HQ Firewall Cluster> -> 192.168.100.50 (50) len=152 id=23638

[vs_0][fw_0] WAN:i1 (vpn decrypt)[152]: <IP HQ Firewall Cluster> -> 192.168.100.50 (50) len=152 id=23638

[vs_0][fw_0] WAN:O12 (TCP streaming post VM)[152]: 192.168.100.50 -> <IP HQ Firewall Cluster> (50) len=152 id=39029

[vs_0][fw_0] WAN:O13 (IP Options Restore (out))[152]: 192.168.100.50 -> <IP HQ Firewall Cluster> (50) len=152 id=39029

[vs_0][fw_0] WAN:O14 (Chain End)[152]: 192.168.100.50 -> <IP HQ Firewall Cluster> (50) len=152 id=39029

[vs_0][fw_0] WAN:i0 (IP Options Strip (in))[152]: <IP HQ Firewall Cluster> -> 192.168.100.50 (50) len=152 id=54150

[vs_0][fw_0] WAN:i1 (vpn decrypt)[152]: <IP HQ Firewall Cluster> -> 192.168.100.50 (50) len=152 id=54150

[vs_0][fw_0] WAN:O12 (TCP streaming post VM)[152]: 192.168.100.50 -> <IP HQ Firewall Cluster> (50) len=152 id=33534

[vs_0][fw_0] WAN:O13 (IP Options Restore (out))[152]: 192.168.100.50 -> <IP HQ Firewall Cluster> (50) len=152 id=33534

[vs_0][fw_0] WAN:O14 (Chain End)[152]: 192.168.100.50 -> <IP HQ Firewall Cluster> (50) len=152 id=33534

I now expect the provider router to un-NAT the outgoing IP 192.168.100.50 to the public IP but can't check this.

On the HQ gateway not a single ESP packet from this public source IP (1.2.3.4) could be seen.

In the Smartcenter settings of the 1430 gateway is configured as follows:

IPSec VPN > Link Selection > Locally managed VPN peers determine .... Always use this IP Address (set)

Statically NATed IP: The public fixed IP of the provider Router (1.2.3.4)

Outgoing Route Selection:

Operation system routing table

Source IP address settings => Automatic (derived from method of IP selection by remote peer)

Does anyone have some more ideas?

Rgds Uwe

Hugo_vd_Kooij · ‎2017-11-10

Have you tried setting the 1430 to Dynamic address in your SmartCenter? It will try work around this sort of issues by using NAT-T.

That might be sufficient as some routers can't NAT for anything that is not ICMP or UDP or TCP.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>

Uwe_Poliak · ‎2017-11-10

Dear Hugo,

gotcha. That was the problem.

You made my day!!!!

Many thanks

Uwe

Luigi_Vezzoso1 · ‎2019-02-19

Hi,sh

I just read this post: can I ask you a screenshot or more information about the CP1430 definition on the Smartdashboard?

Best Regards

Luigi

Are you a member of CheckMates?

VPN between CP Module and 1430 behind NAT