AnsweredAssumed Answered

IPSec S2S: NON-RFC1918 network behind tunnel endpoint

Question asked by Julius Kaiser on Oct 25, 2017
Latest reply on Nov 1, 2017 by Julius Kaiser

Hello Folks,

 

the following questions may be pretty simple, but I'm kind of struggling to figure out a "lowest common denominator" for googling this subject.

 

My setup:

I have an IPSEC tunnel between a Check Point 1430 (see below) and an interop device. The remote site is not under my control and uses a non-RFC1918 network behind the remote tunnel endpoint:

 

(172.16.10.0/24) [my CP] ---WAN-IP---===== ipsec ====---WAN-IP---[rem. INTEROP] (NON-RFC1918 as private network)

 

I just configured this non-RFC network (a public /24 ip subnet) as (only) part of the encryption domain.

 

  • The tunnel is active.
  • Traffic (e.g. icmp) can be sent from remote site to my site and echo-reply reaches the remote site.
  • No traffic can be initiated from my site to the remote site (no-reply) - tunnel still active.

 

My assumption:

My assumption is that Check Point just sees traffic for a public network and routes it to an interface with a public ip address or via default route, but not into the tunnel. 

 

My questions:

  • Is this assumption somehow correct? If not - how is it done?
  • show route all does not show any routes for VPNs (networks behind tunnels). This seems to be normal for CP. Is there another command for viewing routes in conjunction with VPN sites or how is this thought/ done?

 

Thanks in advance.

 

Appliance:Check Point 1430 Appliance
Security Management:Locally managed
Version (Firmware):R77.20.40 (990171107)

Outcomes