This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
imamuzic
Collaborator
‎2024-07-30 07:59 AM
Jump to solution

orig_route_params kernel table

Hello,

I would like to know what is the kernel table "orig_route_params" used for? I understand it is basically ARP table for SecureXL, but when I open it I only see IP addresses in hex format and IP address of one of the gateway's interfaces. How to interpret this table?

 

Regards,

Igor

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-08-12 07:52 AM
In response to imamuzic
Jump to solution

orig_route_params maps the routing information (inbound interface, next-hop-router L2 addr) and the NAT-T source port to  how the NAT-T packet entered the gateway from the peer.
This is done so the gateway can send reply with same routing the packet as entered, and with peer’s current NAT-T port.
This applies for both Site-to-Site with DAIP gateways and Client-to-Site VPN.

So what’s in it?
The keys are the OM IP and user md5 in case of Endpoint. In case of DAIP the key is the DAIP ID.
The values including the port and the routing data (in kbuf as it includes the MAC address).

View solution in original post

16 Replies
PhoneBoy
Admin
Admin
‎2024-07-30 09:30 AM
Jump to solution

Appears to be related to SecureXL and VPN based on various SK articles.
I imagine it's a similar format to the connections table.

the_rock
Legend
Legend
‎2024-07-30 10:45 AM
Jump to solution

You can try below and see what you get.

Andy

[Expert@CP-GW:0]# fw tab -f -t orig_route_params
Using cptfmt
Formatting table's data - this might take a while...

localhost:
Date: Jul 30, 2024
13:44:28 5 N/A 3 172.16.10.249 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; : (+)====================================(+); Table_Name: orig_route_params; : (+); Attributes: dynamic, id 442, attributes: keep, sync, kbuf 1, expires never, , hashsize 16384, limit 10200; LastUpdateTime: 30Jul2024 13:44:28; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;
[Expert@CP-GW:0]#

0 Kudos
imamuzic
Collaborator
‎2024-07-31 01:04 AM
In response to the_rock
Jump to solution

Yes, but what these IP addresses represents? In my output some of them are known IKE peers, but some of them are public IP addresses that are non existent neither as objects or log entries. 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-31 02:53 PM
In response to imamuzic
Jump to solution

VPN is definitely handled in SecureXL.
Check fwaccel conns output and see if there are any matches for other IPs.

0 Kudos
imamuzic
Collaborator
‎2024-08-01 07:08 AM
In response to PhoneBoy
Jump to solution

I've found only one match between SecureXL (fwaccell conns) and "orig_route_params" table and this is an IP address of another IKE peer. All other IP addresses found in the "orig_route_params " table are either local or remote IKE peers or public IP address I'm unable to reference to neither Interoperable objects or Gateways.

I would conclude that these unrelatable addresses are in the table because these are about unknown IKE end points attempting unsuccessful  IKE negotiation with the gateway, but then how come that there is no Log record about this?

Without these unrelatable addresses in the table I would conclude that this table simply stores IP addresses of either local or remote IKE Check Point locally managed  peers as these are SecureXL acceeleated IKE sessions, while 3rd party VPN peer's IKE sessions are handled by IKE VPN deamon and therefore should not be seen in the "orig_route_params" table, at least I figured so from Timothy_Hall's post on similar subject. 

0 Kudos
the_rock
Legend
Legend
‎2024-08-01 07:14 AM
In response to imamuzic
Jump to solution

Thats actually a good point, I saw the same in my lab and Azure lab as well, but could not see any logs for it either.

@imamuzic Whats the link to Tim's post about it?

Andy

0 Kudos
imamuzic
Collaborator
‎2024-08-01 07:23 AM
In response to the_rock
Jump to solution

Here you go: https://community.checkpoint.com/t5/Security-Gateways/Problem-with-MAC-address-on-the-wrong-interfac...

 

0 Kudos
the_rock
Legend
Legend
‎2024-08-01 07:38 AM
In response to imamuzic
Jump to solution

Got it, thanks!

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-01 09:24 AM
In response to imamuzic
Jump to solution

Might be worth a TAC case to investigate this more closely.
https://help.checkpoint.com 

0 Kudos
imamuzic
Collaborator
‎2024-08-02 01:16 AM
In response to PhoneBoy
Jump to solution

TAC brought me here actually 🙂 because we have an issue covered probably by sk180956, I asked 2 times TAC engineer why the issue is related to IPSec NAT-T and what is the purpose of the "orig_route_params" table and got 0 answers, so I was forced to investigate it by myself and so far concluded that this must be related to SecureXL IKE session acceleration and IPSec acceleration, but since SecureXL handles TCP/UDP only and NAT-T encapsulates ESP into UDP it must be why this SK is about NAT-T, although I'm confused a little bit because SecureXL actually accelerates ESP packets too...

So, this is why I came here hopping someone (from R&D perhaps) will clarify the sk180956 and "orig_route_params" table to me. 

0 Kudos
the_rock
Legend
Legend
‎2024-08-02 04:44 AM
In response to imamuzic
Jump to solution

Lets hope so...My understanding is also based on reading about it, it has to do vpn/sxl, but clarification would be nice.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-02 11:15 AM
In response to imamuzic
Jump to solution

It's definitely related to SecureXL and VPN based on the various SKs and SRs I looked at.
I'll see if I can get an answer from someone in R&D about it.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-08-12 07:52 AM
In response to imamuzic
Jump to solution

orig_route_params maps the routing information (inbound interface, next-hop-router L2 addr) and the NAT-T source port to  how the NAT-T packet entered the gateway from the peer.
This is done so the gateway can send reply with same routing the packet as entered, and with peer’s current NAT-T port.
This applies for both Site-to-Site with DAIP gateways and Client-to-Site VPN.

So what’s in it?
The keys are the OM IP and user md5 in case of Endpoint. In case of DAIP the key is the DAIP ID.
The values including the port and the routing data (in kbuf as it includes the MAC address).

imamuzic
Collaborator
‎2024-08-13 12:45 AM
In response to PhoneBoy
Jump to solution

Thank you for the thorough explanation. 

Regards,

Igor

 

0 Kudos
the_rock
Legend
Legend
‎2024-07-31 03:06 PM
In response to imamuzic
Jump to solution

Sorry mate, totally forgot to test this today. Let me set up bogus VPN community and run the command again and I will update shortly.

Apologies again.

Update...ran the command after creating test vpn community and it showed the IPs there. I will run it again in the morning.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-07-30 10:47 AM
Jump to solution

his sk also may be helpful.

Andy

https://support.checkpoint.com/results/sk/sk116453

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events