Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
marksweaver
Explorer

VPN routing issue

Hi,

 

I wonder if anybody could shed some light on this. I am stumped.

Brief overview, checkpoint gateway (R77.30 Gaia) in a DC routing traffic from inbound policy based vpn out of route based vpn to AWS. We have several of these all working fine. This one involves NAT, none of the working vpns are doing NAT.

Connection to a web server in AWS works from Endpoint connect using the "real" ip of the server.

SmartView Tracker shows vpn routing

Fw monitor shows my client connection to aws host.

 o shows vpnt15 which is the tunnel interface to aws eth4 is the internet interface.

O shows eth4 - this is correct and works with this connection and other external vpns routing to aws

 

[vs_0][fw_0] eth4:i[52]: 172.21.254.52 -> 172.29.146.13 (TCP) len=52 id=49031
TCP: 57971 -> 80 .S.... seq=1ef280d9 ack=00000000
[vs_0][fw_0] eth4:I[52]: 172.21.254.52 -> 172.29.146.13 (TCP) len=52 id=49031
TCP: 57971 -> 80 .S.... seq=1ef280d9 ack=00000000
[vs_0][fw_0] vpnt15:o[52]: 172.21.254.52 -> 172.29.146.13 (TCP) len=52 id=49031
TCP: 57971 -> 80 .S.... seq=1ef280d9 ack=00000000
[vs_0][fw_0] eth4:O[52]: 172.21.254.52 -> 172.29.146.13 (TCP) len=52 id=49031
TCP: 57971 -> 80 .S.... seq=1ef280d9 ack=00000000

 

Fw Monitor below shows connection from the customer end to nat address which is translated on checkpoint to real destination address. Source address remains as original.

SmartView Tracker shows Decrypt and nat translation by the configured by the nat rule. Not vpn routing.

Note - o shows vpnt15 but O also shows vpnt15 - traffic does not arrive at AWS (verified by aws flow log)

[vs_0][fw_0] eth4:i[72]: 172.30.21.144 -> 10.150.194.16 (TCP) len=72 id=17563
TCP: 40203 -> 80 .S.... seq=c909e140 ack=00000000
[vs_0][fw_0] eth4:I[72]: 172.30.21.144 -> 172.29.146.13 (TCP) len=72 id=5445
TCP: 40439 -> 80 .S.... seq=03d3dd1b ack=00000000
[vs_0][fw_0] vpnt15:o[72]: 172.30.21.144 -> 172.29.146.13 (TCP) len=72 id=5445
TCP: 40439 -> 80 .S.... seq=03d3dd1b ack=00000000
[vs_0][fw_0] vpnt15:O[72]: 172.30.21.144 -> 172.29.146.13 (TCP) len=72 id=5445

I have added the subnet being used for nat translations to the encryption domain on checkpoint and the access rule allows traffic from the customer to both the nat address and the real address. Initially i had only the nat address but added the real one to see if it made any difference. It did not.

VPN column is set to any and disable nat inside vp community is not ticked.

The nat subnet is not in use anywhere else.

The aws host is behind an nlb - there is no security group on the nlb so all traffic is allowed.

AWS route tables have been updated with customer networks.

 

I can provide more information if needed.

 

Any suggestions would be appreciated.

 

Regards

Mark 

0 Kudos
1 Reply
marksweaver
Explorer

To add to this, due to the connectivity issue needing to be resolved yesterday, I routed inbound traffic to a HA Pair of Physical LB's in our data centre which now front end the traffic in to AWS.

This solution works fine but would like this to be a temporary solution as the LB's are old and are scheduled for decom in the medium term (they were front ending for only two remaining systems that are due for migration to AWS).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events