This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-06-12 03:10 PM

Connectivity with a remote VPN peer

Hello, everyone.

A query, I currently have a S2S IPsec VPN deployed, but I wanted to know if to "test" the connectivity with the remote peer with a "ping" from the GW CLI, you need to have a security policy?

The IP of the remote peer is available from the Internet.
If you try to ping from any point of Internet 200.60.70.9 you can validate that the equipment responds to Internet, but from my GW (from the CLI), it does not answer me the PING.

VPN3.pngVPN2.png

Additionally, I wanted to validate the "negotiation of the packets exchanged" for the establishment of the VPN, with the command "tcpdump -penni any host <remote peer>", but I do not get any "result" in the console of the equipment, and I find it super weird.

The VPN is up, but I wanted to make sense of these things I'm talking about.

Thanks for any comments

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-06-13 10:20 AM

What version/JHF is the gateway?
Depending on your version, tcpdump doesn't always show what's going on when SecureXL accelerates the traffic.
cppcap can be used in this case.

What is the remote peer in this case?
If it is not a Check Point device and you try to ping the external IP, it may not work.
See: https://support.checkpoint.com/results/sk/sk108600
 

0 Kudos
Matlu
Advisor
‎2023-06-13 10:30 AM
In response to PhoneBoy

Hello,

The JHF is Take 83, version R81.10

The remote pair is a Fortigate. Your Public IP of the remote peer is available to test connectivity from anywhere on the Internet.

If you test a PING from our Checkapoints Cluster, well, it just doesn't work, and according to the logs, it seems that it is because the traffic is being sent over the VPN, and it matches an IMPLIED RULE 0.

IM1.png

Is there any way to correct this behavior?

Is there a way to ping from the GW to a remote peer, as a validation process of the device, before starting to "deploy" a VPN?

cppcap, is there a tool to help me "test" the negotiation process for a VPN?
Any reference guide for cppcap?

Regards.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-13 11:39 AM
In response to Matlu

Expected behavior that is possible to address in the SK I linked previously (scenario 3).

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events