Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
kuber
Explorer

issue on route based vpn tunnel with checkpoint VSX and AWS

HI,

I have built a VPN Site to Site tunnel between Checkpoint VSX and AWS VPN gateway, this is route based VPN  tunnel.

in high level steps, what i did

1- created virtual tunnel interface VTI - using this command -

vsx_provisioning_tool -o add interface vd vs1 vpn_tunnel numbered peer AWS_Peer local y.y.y.y remote x.x.x.x tunnel_id 10

 

2- Added static route for AWS VPC CIDR and gateway is z.z.z.z

3- created Mesh Community in checkpoint firewall with "Blank Domain Encryption"

4- then Created ACL in firewall with VPN domain in the rule.

 

After completing these steps, i asked remoted end part at AWS side to initiate the traffic then

1- both side can be seen UP.

2- But traffic is is getting block on firewall with No Reason For Block.

 

then one thing that i noticed is- firewall traffic is coming via VTI interface while tunnel traffic is normal outbound interface of the firewall

 

Any advice can i fix this issue?

 

Also any step by step guide for building such route based VPN tunnel with AWS?

 

your support is much appreciated!

 

0 Kudos
12 Replies
PhoneBoy
Admin
Admin

I presume you've followed the guide for setting up a VPN with Amazon VPC: https://support.checkpoint.com/results/sk/sk108958 
Please show the full log card where the traffic is dropped (redact sensitive details).
Also provide version/JHF of your Check Point equipment.

I suspect some additional debugging will also illuminate the situation: https://support.checkpoint.com/results/sk/sk180488 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

How did you configure the static route via SmartConsole or CLI?

That said as I recall R81 and above support VTI only with dynamic routing for VSX.

CCSM R77/R80/ELITE
0 Kudos
kuber
Explorer

static route conf i did via CLI via command i mentioned in my first post.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Whilst I don't see it in your post above, this approach isn't supported on VSX.

CCSM R77/R80/ELITE
0 Kudos
kuber
Explorer

Hi Chris,

 

in high level steps, what i did

1- created virtual tunnel interface VTI - using this command -

vsx_provisioning_tool -o add interface vd vs1 vpn_tunnel numbered peer AWS_Peer local y.y.y.y remote x.x.x.x tunnel_id 10

 

2- Added static route for AWS VPC CIDR and gateway is z.z.z.z

3- created Mesh Community in checkpoint firewall with "Blank Domain Encryption"

4- then Created ACL in firewall with VPN domain in the rule.

 

After completing these steps, i asked remoted end part at AWS side to initiate the traffic then

1- both side can be seen UP.

2- But traffic is is getting block on firewall with No Reason For Block

0 Kudos
Chris_Atkinson
Employee Employee
Employee

This (step 2) doesn't show / detail the exact command used for the static route but in VSX this shouldn't be done via CLI unless it is dynamic routing.

CCSM R77/R80/ELITE
0 Kudos
kuber
Explorer

i used this command  where i replace the x and y by IP addresses.

vsx_provisioning_tool -o add interface vd vs1 vpn_tunnel numbered peer AWS_Peer local y.y.y.y remote x.x.x.x tunnel_id 10

0 Kudos
Chris_Atkinson
Employee Employee
Employee

That is not creating the static route but the VTI interface.

Regardless as stated above dynamic routing is needed for this to be successful.

CCSM R77/R80/ELITE
0 Kudos
kuber
Explorer

yes, sorry, VTI..static route i added through smart console. where destination is VPC and gateway is what mentioned in the configuration file received from aws side

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Per sk79700 before R81, VTI on VSX wasn't supported.

Configure Dynamic Routing VPN through Virtual Tunnel Interface (VTI) in VSX.

Source: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_RN/Topics-RN/Whats-New.htm

CCSM R77/R80/ELITE
0 Kudos
kuber
Explorer

this solution is not workable, we are using r81.10, VTI can be configured.

 

the problem is , traffic is passing from the configured VTI and getting block, not sure why not being accepted by firewall ACL since tunnel is showing up.

 

could anyone help here who has built only this type tunnel,

AWS to CP VSX gateway with routing based using VTI, blank encryption domain, and Mesh topology. 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Yes VTI can be configured here but it needs dynamic routing (BGP) to work on VSX.

If you've done this (not using static routes) and the issue persists please consult with TAC for troubleshooting assistance.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events