This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
P_Hippelainen
Explorer
‎2020-05-06 06:31 AM

VPN unnumbered VTI and ClusterXL

Hi there,

I've R80.20 open server cluster env. with ClusterXL and two VPN tunnels between AWS. These are configured with Numbered VTIs.
Now I need to add one VPN tunnel with Azure and there is Route-based or Policy-based VPN available.
I've understand that Route-based should be configured with Unnumbered VTI tunnel.
I found an old Checkpoint exam question from the year 2015 and an answer is that Unnumbered VTIs are only supported VRRP HA active-passive mode.
Is this same HA restriction still valid in R80.x?
I've read the Site to Site VPN Administration Guide R80.20 and all cluster examples is only for numbered VTI.

 

Thanks in advance.

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2020-05-08 01:06 PM

I've never heard of that limitation myself.
Also don't see any mention of it in current docs.
0 Kudos
P_Hippelainen
Explorer
‎2020-05-15 08:06 AM
In response to PhoneBoy

I've done this at first as numbered VTI (vpnt7) but the traffic goes a little bit strange.
VPN tunnel ID = 7
Local VIP 169.254.0.1
Remote address = "Azure public IP"
Interoperable Device = "Azure public IP", VPN domain = empty group
Cluster VPN domain = empty group
Cluster Network Topology vpnt7 = leads to specific (azure VM network)

Community: Star, Prefer IKEv2..., Set Permanent (on all...comm), One VPN t.../Gw pair, Disable NAT...

Policy:
from on-premise to azure = RDP,ICMP, VPN column = int>"comm", "comm">"comm", "comm">int
from azure to on-premise = RDP,ICMP

When the RDP connection is started from an on-premise client to a Azure VM, the connection is seen coming from the Internal interface (eth'x') and decrypted.
The VM will answer back from External interface (eth'y', not tunnel) but the on-premise cluster gateway drops it as address spoofing.

When the connection is started from Azure VM it's seen coming from External interface vpnt7 and it is accepted and the on-premise client will answer back.

I've no idea why the connection from on-premise to azure seems to be OK, but the answer is as address spoofing and it's seen as separate connection.

Thanks in advance.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-05-08 02:01 PM

Unnumbered VTIs are not supported on the SecurePlatform OS, which is probably what that old exam question is referring to.  They are supported on the Gaia OS according to sk109045.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events