Radius authentication over Site-to-Site

[mogmismo]

Setup:

I've got 2 firewalls (We'll call them A and B) with a site-to-site VPN. Firewall A has our radius servers behind it, and also is the primary site for SecureClient connections. Both firewalls are listed in the community for remote access.

Situation:

When SecureClients come in to firewall A, then request a resource behind firewall B, firewall B uses an implied rule (0) to send the traffic to our radius servers. This implied rule sends the traffic out of firewall B unencrypted and not down the tunnel. It gets dropped by the upstream router because it's to a 192.168.x.x internal address.

Things I've tried:

Called checkpoint tech support. Thier answer is to change from a mesh to a star and route all traffic through the 'hub'. I don't want to do this.

I've tried nat'ing the packets in my address translation on both ends so that the packets flow over the internet (We use cryptocard, so they are one-time passwords, I'm not super concerned). Still rule 0 sends the traffic ~before~ the natting.

Help?

Anyone know a way out of this maze? How do I get the traffic to the radius servers to get to thier destination (hopefully, but not required, over the site-to-site) Any help would be greatly appreciated.

M.

[Binary_01]

I'm not a guru in Checkpoint... yet ;-) but I'll give it a shot at helping you...

Do you have "accept all encrypted traffic" checked under the general properties of your meshed community?

[Lackie]

Go into Global Properties and if you have a check in Accept outgoing packets originating from the gateway, make sure the drop down list has 'Before Last' selected.

If you have to set to 'First' then what happens is that the packet hits this rule before any encrypt rules that you have in your rulebase.

[mogmismo]

Lackie, I do have Accept outing packets originating from Gateway checked, and it's set to "Before Last", so this isn't the fix. I appreciate the try, any other ideas?

Binary_01, I do not have the "Accept all encrypted traffic" checked on either firewall, but not sure it would help, as the packets are not encrypted.

Any other suggestion or additions to these posts?

Thanks for all your help,

M.

[Lackie]

Ok, I think I was on the right track but the wrong rule. Looking at the implied rules of my policy there is one that has the following:

Source Destination Action
~FW1 Module ~Radius Servers Accept

The unfortunate part is that this is part of the implied rule of 'Accept VPN-1 Pro/Express Control Connections'. If you disable this you will have a fun time to rebuild all of your implied rules manually. Unfortunately, this is the only way I can think of over riding the problem that you are seeing.

[petegdr]

Depending on what version you are on you could try the procedure in sk 13626. We used this when were running NG. Unfortunately it stopped working when we upgraded our management station to NGX.

[czech12]

Sorry guys, this is just a test.

[Izzio]

Hello people,

I've the same problem.
The interesting question for me is:
How is possible to deactivate one or more implied rules of the "accept VPN-1 & FW-1 control connections" group?

Thanks a lot for any feedback.

Maurizio

[petegdr]

You need to edit the implied_rules.def file on the management station. Depending on what you have installed there may be more than one file in separate directories. One for R60, one for R55W, one for NG, etc.

[lmhost]

Hi Guys Any help appreciated
i have also the same site to site radius implied rules issue
since i have upgraded to NGXR60
before on R55 this has work in doing this:
exit gui
- cpstop on the management server
- modify the implied_rules.def file and comment out or delete the ENABLE_RADIUS_SERVER line
- cpstart
- push policy out to the modules

But after the Upgrade this does not work anymore
So if anybody has solve this issue please help!

[cpuguser]

I'm having the same problem with this since upgrading to NGX. Does anyone have an update? Thanks.

[mogmismo]

Yep, we're still in the same boat too. Has anyone tried this with R61? (Willing to upgrade if it'll fix the issue)

M.

[cpuguser]

I'm on R61, HFA-01.

But: that's for the SmartCentre only, enforcements (both central and branch) are still on NG AI R55.

Are all your modules on NGX?

Thanks.

[cpuguser]

OK - I've fixed my problem:

Becuase my enforcements are still on NG AI, I needed to edit the /opt/CPngcmp-R61/lib/implied_rules.def file, not the $FWDIR/lib/implied_rules.def file ($FWDIR points to /opt/CPsuite-R61/fw1).

Regards.