PDA

View Full Version : How to enforce an IPSec Tunnel on a specific External NIC



DChontzopoulos
2008-02-20, 07:10
Hello there guys,

I've searched as much as I could, but, wasn't able to find a *solid* response to the question:

On Check Point NG R55W AI, can someone *force* a VPN Tunnel to be established on a specific External Network Interface Card? As you imagine, we have a Check Point NG R55W AI with 2 NICs on 2 different Switches, connected onto 2 different Routers, connected onto 2 different ISPs.

CP -------- ISP-A (CP NIC-A: 1.2.3.4)
|
|
|
ISP-B (CP NIC-B: 5.6.7.8)

NIC 1.2.3.4 is the one used in the Firewall-Object-Properties and where the License resides. We want to establish the VPN (Interoperable Device, NOT Check Point Firewall) on NIC 5.6.7.8.

What's happening is that we do send IKE Packets from NIC-B to the other side and when IKE Phase 1 is about to complete, the Firewall on the other side complaints that the IP Addresses do not match for the IPSec Tunnel. In other words, even though the initiated by NIC-B IKE connection is correct, when IKE Phase 1 is about to complete, the IP Address within the Payload WE send, is not for NIC-B, but, for NIC-A... The actual message we get back from the other side is this:

IKE: Phase 1 Received Notification from Peer: payload malformed

I have tried the following:

- Policy, Global Properties, VPN, Advanced, "Resolving Mechanism", Enable dynamic interface resolving per gateway (must be defined per gateway)
- (then on the Gateway object) VPN, VPN Advanced, Dynamic Interface resolving configuration..., Enable dynamic resolution by peer VPN-1 gateways, Uppon tunnel initialization
- Using GUIDBEdit, changed the following:
* IPSec_orig_if_nat from *true* to *false*
* IPSec_main_if_nat left as *false*

Some facts:
- Our Firewall is an NG R55W AI, HFA04, Hotfix011, Build 004
- The VPN Module is an NG R55W AI, HFA04, Hotfix011, Build 003
- The other Firewall is an Astaro something...
- We're running Traditional Mode

Any ideas, comments, remarks? Any help is greatly appreciated!!!

gavvys
2008-02-21, 09:24
Hi
Yes you can do this, you can enforce the tunnel through a particular interface.
This can be done with the help of Link Selection in VPN settnigs.
Goto checkpoint object-->VPN-->Link Selection.

Here you can select the option,"selected address from Topology Table".

I hope this will help you.

Regards
Ranjit

DChontzopoulos
2008-02-21, 09:31
Hi
Yes you can do this, you can enforce the tunnel through a particular interface.
This can be done with the help of Link Selection in VPN settnigs.
Goto checkpoint object-->VPN-->Link Selection.

Here you can select the option,"selected address from Topology Table".

I hope this will help you.

Regards
Ranjit

Hello Ranjit,

Unfortunately I don't have such an option because I'm running R55W NG AI... I think that this option is available from R62 onwards... Any help for R55W?

mcnallym
2008-02-21, 13:55
What you may find is that if you NAT your outbound traffic behind the IP of the NIC that you want it to leave on, and place a specific static route for the remote peer via that NIC's Router, along with a static route for the encryption domain of that gateway via the NIC's router, that you may get this.

We tried this when swapping over from one ISP to another and it seems to work for R55, where we NATted the traffic, where we didn't NAT then the remote gateway was seeing traffic from the New ISP range and failing.

DChontzopoulos
2008-02-21, 14:20
What you may find is that if you NAT your outbound traffic behind the IP of the NIC that you want it to leave on, and place a specific static route for the remote peer via that NIC's Router, along with a static route for the encryption domain of that gateway via the NIC's router, that you may get this.

We tried this when swapping over from one ISP to another and it seems to work for R55, where we NATted the traffic, where we didn't NAT then the remote gateway was seeing traffic from the New ISP range and failing.

The packets are routed properly from the NIC I want them to be routed. In other words, when I send an initial IKE packet from my Host to the other Host, I can see the communication initiated by the correct NIC. It is when the 2 Firewalls begin to negotiate for Phase 2 that the issue arrises. Then, the guy at the other end, sees in the logs that:

- The ESP Payload is being sent by the correct NIC and IP Address, but
- Within the ESP Payload the Peer IP Address is wrong

This is the problem... I really don't think that NAT will do the trick, unless, the behavior of the Firewall changes when using NAT in conjunction with IPSec...

mcnallym
2008-02-21, 14:48
We were getting the exact same issue and it was NAT related, not so much as in NAT itself, but how the gateway was deciding to use which address in the payload.

The traffic was being routed correctly, but failing as the payload showed the other line IP address which was the node definition IP address.

Other VPN's were working correctly however they were all being NATted behind the IP of the interface that being routed out of.

In R55 then will decide based on topology what IP to place. When not being NATted then was choosing the new line IP which is the node defined ip address, When natting outbound traffic behind an IP range of the old line then the VPN's were still working.

Under NGX then Link selection allows you to perform source based decisions as well but NG doesn't.

DChontzopoulos
2008-02-21, 15:05
We were getting the exact same issue and it was NAT related, not so much as in NAT itself, but how the gateway was deciding to use which address in the payload.

The traffic was being routed correctly, but failing as the payload showed the other line IP address which was the node definition IP address.

Other VPN's were working correctly however they were all being NATted behind the IP of the interface that being routed out of.

In R55 then will decide based on topology what IP to place. When not being NATted then was choosing the new line IP which is the node defined ip address, When natting outbound traffic behind an IP range of the old line then the VPN's were still working.

Under NGX then Link selection allows you to perform source based decisions as well but NG doesn't.


So, I'll have to Apply Static or Hide NAT for outgoing packets originating from my Gateway?

DChontzopoulos
2008-02-21, 15:22
Here's what I'll do...

First off, I'll create two (2) new Hosts, one (1) containing the IP Address of the NIC I want to terminate the VPN on (CP NIC-B) and another one (1) containing the IP Address inside the "General Properties" portion of the Firewall Object. Then, I'll manualy assign their respective Topology, by putting the name, IP Address and Subnet Mask of each of the NICs, as these are on the Topology of the Firewall Object. Then, I'll setup the following NAT rules and see how it goes:

1. (Orig) CP NIC-B - (Orig) Other-Peer - ANY | (Trns) Original - (Trns) Original - ANY
2. (Orig) CP NIC-A - (Orig) Other-Peer - ANY | (Trns) CP NIC-B Hide - (Trns) Original - ANY
3. (Orig) CP NIC-A - (Orig) Other-Peer - ANY | (Trns) CP NIC-B Static - (Trns) Original - ANY

CP NIC-A
IP Address: 1.2.3.4
Subnet Mask: 255.255.255.0
Name: E1000

CP NIC-B This is where I want to terminate the VPN Tunnel on
IP Address: 5.6.7.8
Subnet Mask: 255.255.255.0
Name: E1001

I'll try to see how it goes with only one of the above NAT rules activated (obviously) at a time and let you all know how it went...

mcnallym
2008-02-22, 13:26
I only seemed to have to NAT if going out an interface other then the DG, or the interface that shared an IP range with the MainIP of the node.

If going out of the same IP range as the Main IP of the node then worked fine.

DChontzopoulos
2008-02-22, 13:31
Here's what I'll do...

First off, I'll create two (2) new Hosts, one (1) containing the IP Address of the NIC I want to terminate the VPN on (CP NIC-B) and another one (1) containing the IP Address inside the "General Properties" portion of the Firewall Object. Then, I'll manualy assign their respective Topology, by putting the name, IP Address and Subnet Mask of each of the NICs, as these are on the Topology of the Firewall Object. Then, I'll setup the following NAT rules and see how it goes:

1. (Orig) CP NIC-B - (Orig) Other-Peer - ANY | (Trns) Original - (Trns) Original - ANY
2. (Orig) CP NIC-A - (Orig) Other-Peer - ANY | (Trns) CP NIC-B Hide - (Trns) Original - ANY
3. (Orig) CP NIC-A - (Orig) Other-Peer - ANY | (Trns) CP NIC-B Static - (Trns) Original - ANY

CP NIC-A
IP Address: 1.2.3.4
Subnet Mask: 255.255.255.0
Name: E1000

CP NIC-B This is where I want to terminate the VPN Tunnel on
IP Address: 5.6.7.8
Subnet Mask: 255.255.255.0
Name: E1001

I'll try to see how it goes with only one of the above NAT rules activated (obviously) at a time and let you all know how it went...

Well... Tried the above, didn't work... I'm getting desperate now... Don't know what else to do... :-(