Site to Site VPN gateway management

Moudar

Hi

I got a lab of cluster of 2 gateways. Now I want to add a branch office to the same SMS that manages the cluster.

The branch office has its own external IP for example 203.0.114.100 and main office 203.0.113.1

SMS server is 10.1.1.101 and its gateway is 10.1.1.1

How should NAT rules look like on both sides so that SMS 10.1.1.101 can have communication with the branch office (management traffic I think!)?

What I did is disable NAT inside VPN and add a manual NAT rule to prevent NAT on all networks that uses the VPN:

To be able to add the branch office to Smartconsole I had to add some static routes to my lab router to get connection with branch office

(this router represents the internet, so no static routes are possible, but only external IPs)

directly when I remove these routes I loose connection with branch office (Smartconsole loose connection)

I have created some VTIs between the cluster and the branch office and these can ping each other without the need of the static routes on the router, but still SmartConsole says B-GW lost connection!

Any Ideas!

the_rock

Do you have simple diagram of this?

Andy

Moudar

Moudar

Router configuration:

Test-router#show ip int b
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         192.168.198.131 YES DHCP   up                    up
GigabitEthernet0/1         203.0.113.254   YES NVRAM  up                    up
GigabitEthernet0/2         203.0.114.254   YES NVRAM  up                    up

Gateway of last resort is 192.168.198.2 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.198.2
      192.168.198.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.198.0/24 is directly connected, GigabitEthernet0/0
L        192.168.198.131/32 is directly connected, GigabitEthernet0/0
      203.0.113.0/24 is variably subnetted, 2 subnets, 2 masks
C        203.0.113.0/24 is directly connected, GigabitEthernet0/1
L        203.0.113.254/32 is directly connected, GigabitEthernet0/1
      203.0.114.0/24 is variably subnetted, 2 subnets, 2 masks
C        203.0.114.0/24 is directly connected, GigabitEthernet0/2
L        203.0.114.254/32 is directly connected, GigabitEthernet0/2

My understanding is that if I would count this router as if it was the Internet, then no more configuration should be added!

203.0.113.254 is the gateway of the cluster

203.0.114.254 is the gateway of B-GW

emmap

Connections between gateways and management servers are excluded from VPNs, because the traffic is already encrypted and because you need the connection between gateway and management to be up before you can install the policy that would bring the VPN up. So you need to edit the SMS object and add a static NAT on there (installed on Cluster A) so that the SMS has a public IP that the branch gateway can communicate to.

You can change this, but it's not the best idea because if the VPN goes down and you need to do a policy install on the branch gateway to fix it, you're in trouble because there's no comms to the gateway.

See: https://support.checkpoint.com/results/sk/sk105719

And: https://support.checkpoint.com/results/sk/sk100583

Moudar

Thank you emmap!

What about this:

Should I choose that also? why and why not?

emmap

Yes tick that. https://support.checkpoint.com/results/sk/sk66381

Moudar

What should I do here?

emmap

Select the cluster that the SMS sits behind where it says 'Install on Gateway'.

Moudar

still getting this when trying to install policy on B-GW

tried fw unloadlocal on B-GW but got same result!

emmap

It's a network connectivity error, troubleshoot on the network hops along the way.

Moudar

When trying to ping the SMS NAT ip address 203.0.113.101 from the gateway i get this:

ping 203.0.113.101
PING 203.0.113.101 (203.0.113.101) 56(84) bytes of data.
From 203.0.113.3 icmp_seq=1 Destination Host Unreachable
From 203.0.113.3 icmp_seq=2 Destination Host Unreachable
From 203.0.113.3 icmp_seq=3 Destination Host Unreachable
From 203.0.113.3 icmp_seq=4 Destination Host Unreachable
From 203.0.113.3 icmp_seq=5 Destination Host Unreachable
From 203.0.113.3 icmp_seq=6 Destination Host Unreachable
From 203.0.113.3 icmp_seq=7 Destination Host Unreachable
From 203.0.113.3 icmp_seq=8 Destination Host Unreachable

is that a normal reaction?

the_rock

That would usually tell you there is no route to the destination. Do ip r g 203.0.113.101

Moudar

10.1.1.101 is the SMS which is published out using static NAT and 203.0.113.101, as you can see above

the gateway has interface at the same subnet

Moudar

I don't really understand!

[Expert@B-GW:0]#  ip r g 203.0.113.101
203.0.113.101 via 203.0.114.254 dev eth1 src 203.0.114.100

Moudar

that looks right, but why still cannot ping?

the_rock

Is it accessible by another service? Just ping fails?

Moudar

Maybe I see the problem!

If you look at the topology you can see SMS interafec eth1 connected directly to the cloud0 ( EVE-management ) That interface is there only so that I can run Smartconsole directly on my host, because I don't have enough resources to run a Windows machine on EVE.

When I ping 203.0.113.101 from B-GW I can see an "Accept log":

the log shows that the IP address of eth1 being NATed and not eth0 which have 10.1.1.101!

Why is that happening, and how to make the NAT rule apply on eth0 instead?

the_rock

What do you have configured in anti spoofing group? As per below:

Andy

Moudar

Moudar

When I do a traceroute from SMS to B-GW I get this:

 traceroute 203.0.114.100
traceroute to 203.0.114.100 (203.0.114.100), 30 hops max, 40 byte packets
 1   (10.1.1.3)  23.251 ms  25.409 ms  32.807 ms
 2  * * *
 3  * * *

10.1.1.3 is the gateway interface connected to SMS

The the cluster is 10.1.1.1 should 10.1.1.1 answer or 10.1.1.3?

The cluster has other interface 203.0.113.1 which points to the router 203.0.113.254

The router has other interface 203.0.114.254.

But as you can see the trace does not get there

even if i run this trace:

traceroute 203.0.113.254
traceroute to 203.0.113.254 (203.0.113.254), 30 hops max, 40 byte packets
 1   (10.1.1.3)  15.777 ms  24.790 ms  25.378 ms
 2  * * *
 3  * * *

So SMS cannot reach the router, the gateway could. What should I check more?

The policy is any any any accept so no problem there!

Amir_Senn

Hi,

Checkbox in the NAT tab adds the static NAT IP to a list of IPs in the inline rules that are allowed access (for example the management IP as appears in SC). If you installed policy without it you will lose connectivity unless you have explicit access control rule that allows it. If you got here - there's need to do fw unloadlocal on that GW and re-install policy (full, not accelerated path) to regain connectivity.

This will not 100% solve your issue. In some scenarios when using this configuration private IP GWs might use public IP or public IP GWs will try private IP. There's a way to force one or the other. Please follow this SK:

https://support.checkpoint.com/results/sk/sk171055

Kind regards, Amir Senn

Are you a member of CheckMates?

Site to Site VPN gateway management