This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wesley_van_der_
Participant
Participant
‎2023-05-11 07:28 AM
Jump to solution

VSX and routebased VPN (Azure)

Hi,

 

A nice new feature in VSX R81 is that we can create vpnt interfaces on a virtual firewall, using vsx_provisioning_tool on the SMS/MDS. We have a VSX setup with SMS, running both on R81.10 with JHF take 87. 

We want to setup a new S2S VPN (routebased) with Azure. I managed to do that using sk176249. 

Now the tunnel is up (phase 1 and 2) and BGP traffic from azure arives at our firewall. We will use BGP over the tunnel and now I am facing 2 different issues causing the BGP peer in active state instead of established.

1) BGP traffic from azure arives at our firewall, but is dropped with the reason "According to the policy the packet should not have been decrypted"

Normally with a policy based VPN, the VPN domains is the first thing I look at. But now we do use routed based and I have configured empty VPN domains as mentoined in the sk. 

There is a route for the BGP peer in Azure (connected to vpnt interface). 

2) BGP traffic initiated from our firewall, uses a funny ip as its source ip.

This traffic was first dropped ofcourse on our firewall since the rule I created uses the expected source ip. I tried to accept the traffic and use source NAT for this specifc traffic. Now the traffic is accepted, but not encrypted and routed over the tunnel. 

 

Any tips to troubleshoot any further are welcome. 

1 Solution

Accepted Solutions
Wesley_van_der_
Participant
Participant
‎2023-05-24 05:04 AM
Jump to solution

The first problem was solved by changing the alias of the vpnt interfaces. The alias of the interface needs to be exactly the same as the name of the interopable device object where this interface will be used for. 

The second problem is solved by using NAT with the correct vpnt interfaces.

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2023-05-11 12:31 PM
Jump to solution

Are you using a configuration similar to: https://support.checkpoint.com/results/sk/sk176249 ?

Wesley_van_der_
Participant
Participant
‎2023-05-14 11:39 PM
In response to PhoneBoy
Jump to solution

Yes. I used the sk to configure the VPN.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-15 02:34 PM
In response to Wesley_van_der_
Jump to solution

Recommend a TAC case here to investigate: https://help.checkpoint.com

0 Kudos
Wesley_van_der_
Participant
Participant
‎2023-05-24 05:04 AM
Jump to solution

The first problem was solved by changing the alias of the vpnt interfaces. The alias of the interface needs to be exactly the same as the name of the interopable device object where this interface will be used for. 

The second problem is solved by using NAT with the correct vpnt interfaces.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events