Spoofing and VPN conflict.

pbhavsar · #1 (**permalink**) 2006-03-24

I have two firewalls in site-to-site VPN with following settings

10.10.10.1/24 (Anti-Spoofing domain 10.0.0.0/8, VPN domain 10.10.10.0/24)
|
111.111.111.1 FW1
|
222.222.222.2 FW2
|
10.20.20.1/24 (Anti-Spoofing 10.20.20.0/24, VPN domain 10.20.20.0.24)

I created site to site VPN between FW1 and FW2. If i try to connect PC 10.20.20.20 (behind FW2) from the PC 10.10.10.10 domain (behind FW1). I can not communicate. I get follwing log on FW1
1. Source 10.10.10.10, Dest. 10.20.20.20, interface internal, encrpted packet, accepted
2. Source 10.10.10.10, Dest. 10.20.20.20 interface external, packet drop

If I add 10.0.0.0/8 on "don't check for Anti-spoofing" of external interface of FW1, VPN works. But, I am opening my network for external people to spoof in to my network. Is there any other solution to fix my VPN problem.

FYI: I can not change my spoofing network on FW1 from 10.0.0.0/8.

Lackie · #2 (**permalink**) 2006-03-25

Well, the problem that you are having is because you have the 10.0.0.0/8 as the antispoofing on your internal network. It's seeing traffic from the remote network (10.20.20.1) and thinks it's a spoofed address because it's coming in the wrong interface as it's expecting it from your internal network as this is how you have the antispoofing group set up.

You have two choices... you can not do antispoofing or you can change your antispoofing group. As not turning off antispoofing is a risk you are left with changing your antispoofing group.

Good news is that there are two ways to do this:

1. Make a group with all of your internal networks and then use that group object for the antispoofing.

2. Create a group with exclusing object and use the 10.0.0.0/8 network and exclude the 10.20.20.0/24 network. This will get the same as what you currently have now but exclude the 10.20.20.x network from your internal network antispoofing and thus allow it through your firewall.

Now if you physically have a 10.20.20.x network on your internal network, you will have other problems with the VPN other than antispoofing.

Sergej · #3 (**permalink**) 2006-03-25

Does "wire mode" VPN checks for antispoofing? If wire lode skip antispoofing you can enable this function for you tunnel on the FW1 side.

chillyjim · #4 (**permalink**) 2006-03-25

AFAIK Wire mode bypasses all security checks

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode