Create a Post
RickyDan
Contributor

Solved: Need help with CloudGuard remote access VPN on Azure

I have a CloudGuard HA and management and my problem is remote access VPN is disconnecting roughly every 30 seconds. In the logs I can see "According to the policy the packet should not have been decrypted" is the reason tunnel test is being dropped.

Setup

  • Frontend subnet has NSG allowing all inbound and outbound traffic
  • image is R81.10
  • frontend eth0 leads to "external"
  • backend eth1 leads to "this network"
  • office mode configured (10.255.255.0/24)
  • remote access vpn domain does not contain office mode range
  • anti-spoofing is off on both eth0 and eth1
  • vpn link selection is statically NAT'd IP: public cluster VIP
  • outgoing VPN link is private cluster VIP

Things I tried:

  1. Adding NAT rule as in sk106853 to translate tunnel test traffic to the public VIP to LocalGatewayExternal
  2. Adding policy rule as in sk44075 to accept tunnel test mapped to LocalGatewayExternal
  3. Modified (2) to also accept tunnel test to the public VIP
  4. Turned on anti-spoofing for office mode as in sk44075. Anti-spoofing for eth0 and eth1 still off
  5. Verified "accept control connections" and "accept remote access control connections" are checked

Solved:  The public VIP has to be added to the remote access encryption domain. The other stuff in the "Things I tried" section are not needed except to make sure the implied rules in (5) are selected.

0 Kudos
8 Replies
K_montalvo
Advisor

Hello @RickyDan i think the issue could be using the office mode configured (10.255.255.0/24). Try using another subnet

0 Kudos
RickyDan
Contributor

Changed it to 10.10.10.0/24 and it did not work.

0 Kudos
Nir_Shamir
Employee
Employee

what did you choose under "VPN Link Selection" ?

it should be "NATTED IP" with the Public IP of your CLUSTER VIP.

0 Kudos
RickyDan
Contributor

hi, yes that is how it is configured. forgot to put that in the post. the outgoing link is set as the private VIP. 

0 Kudos
Nir_Shamir
Employee
Employee

it need to be the Public VIP , not the private VIP.

0 Kudos
RickyDan
Contributor

hi, these are the current config for outgoing route selection. what do you recommend?

outgoing route selection:

out-1.PNG

setup:

out-2.PNG

 

 

 

 

source ip address setting:

out-3.PNG

0 Kudos
Nir_Shamir
Employee
Employee

the outgoing is ok.

under the IPSEC VPN in the GW properties there's VPN LINK SELECTION.

what did you choose there ?

0 Kudos
RickyDan
Contributor

that is set to statically NAT'd IP: public cluster VIP