This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AlexandruD
Contributor
‎2024-01-29 12:55 PM

route based VPN antispoofing

Hello,

I have the following issue caused by the antispoofing mehcanism. (SMS is R81.20, SMB GWs are R81.10.08)

Two IPsec VPN peers (centrally managed SMB appliances) are connected via route based VPN, over an MPLS interconnection between the two.
The only routes associated with the MPLS connected interfaces (LAN7 on both peers), are the needed static routes in order for the peers to reach each other over the MPLS interconnection. The first peer's relevant VTI is vpnt3, and the second one's is vpnt2.
The logs show the following behavior, where the second peer is blocking icmp ping requests packets send by the first peer (source and destination IP addresses are of other internal interfaces of the peers):

origin is first peer - VPN blade - Encrypt action - vpnt3 outoging - src 172.17.0.1 - dst 172.18.0.1 - specific rule id matched
origin is second peer - VPN blade - Decrypt action - vpnt2 incoming - src 172.17.0.1 - dst 172.18.0.1 - specific rule id matched
origin is second peer - Firewall blade - Drop action - LAN7 incoming - src 172.17.0.1 - dst 172.18.0.1 - message info "Address spoofing"

On both peers, antispoofing is configured to be calculated by the gateway, based on its routing table. Routes to direct traffic via the route based VPN are generated via OSPF, which is running on the VTI interfaces inbetween the peers.
Now, I would disable antispoofing all toghether, as I find it unnecessary and annoying, the way it's performed by CP, but the resultant warning messages are just as annoying.

Does anyone know a solution for this, or perhaps knows hwo to disable antispoofing and the warning messages as well?

Thank you

0 Kudos
5 Replies
Bob_Zimmerman
Authority
Authority
‎2024-01-29 02:41 PM

Sounds like you have a routing loop. Traffic decrypted from a route-based VPN only shows up on the VTI. It never arrives on any real Ethernet interface. The ARM boxes definitely have some different behaviors, but I wouldn't expect this to be one of them. I would run a packet capture on LAN7 to see what's going on.

0 Kudos
the_rock
Legend
Legend
‎2024-01-29 03:52 PM

I agree with Bob here, just run captures and have a look. Can you send a screenshot of the topology? Please blur out any sensitive info.

Best,

Andy

0 Kudos
AlexandruD
Contributor
‎2024-01-29 05:16 PM

No route loops, nothing of interest on LAN7, but ESP traffic. For some reason it is UDP encapsulated (with no NAT applied).

0 Kudos
the_rock
Legend
Legend
‎2024-01-29 05:57 PM
In response to AlexandruD

Have a look at below, see if its helpful

Andy

https://support.checkpoint.com/results/sk/sk115276

0 Kudos
AlexandruD
Contributor
‎2024-01-30 11:17 PM
In response to the_rock

Thanks! But I'v checked and found no issues.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top