CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 17 of 17

Thread: Routing question on 2 680's that are vpn'd together.

  1. #1
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    17

    Default Routing question on 2 680's that are vpn'd together.

    So I have 2 680's at 2 different locations. VPN is connecting them together.

    Site 1: Main Network: 172.16.1.1
    Site 1: Secondary Network defined on one of the lan ports: 10.1.1.1

    Site 2: Main Network: 192.168.1.1

    So at site 1 my workstations are all on the 172. network. They can ping and more importantly Remote Desktop Connection devices on the 10. network with no problems at all.

    The problem is that at Site 2 I can't access anything on the 10. network. From Site 2 I can ping and RDC anything on the site 1 172. net without problems, just not anything on the site 1 10. network.

    Is it possible to get to the 10. network from the 192. network? I would thing it should be.

    I tried creating some 'routes' that said to get to the 10. network, you need to go to the 172 network, but nothing worked.

    Do I need to create routes on both sides?

    Any insight would be appreciated.

    It's really great pulling data across these devices over FIOS at 75mbps. I'm soon going to to have 150mbps on both sides. It'll be screaming then!

    Roveer
    Last edited by roveer; 2016-11-05 at 21:13.

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    11

    Default Re: Routing question on 2 680's that are vpn'd together.

    Can you share full routing table on each device/location?

  3. #3
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    17

    Default Re: Routing question on 2 680's that are vpn'd together.

    Quote Originally Posted by laf_c View Post
    Can you share full routing table on each device/location?
    Ignore the 192.168.200.0 & 192.168.201.0 networks for site 1, those are other subnets that I was using to separate devices from the 172.16.1.0 network at site 1.

    Site 1
    Click image for larger version. 

Name:	Site 1.jpg 
Views:	192 
Size:	97.9 KB 
ID:	1173

    Site 2
    Click image for larger version. 

Name:	site 2.jpg 
Views:	218 
Size:	54.5 KB 
ID:	1174
    Last edited by roveer; 2016-11-07 at 12:27.

  4. #4
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    11

    Default Re: Routing question on 2 680's that are vpn'd together.

    I wanted to see the routing table, because I wanted to make sure 10.x.. network is behind another interface and NOT configured as a secondary IP address.
    Now this goes into one of the two:
    - you have a firewall access/vpn misconfiguration
    - there's some kind of box limitation (which we can know for sure just after we tshoot first option).

    Back to no1:
    - what SW version are you running?
    - is this centrally managed or standalone deployment;
    - can you share the encryption domain for site 1: does it contain both networks?
    - do you have available vpn tu and vpn trunc utilities? we need to look into ike.elg file in concern to phase 2; what is the enc domain being sent by appliance on site 1, when you ping 192.168.x.y from 10.x network

  5. #5
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    17

    Default Re: Routing question on 2 680's that are vpn'd together.

    Thanks for the detailed explanation. I'm sure we are probably going to find a mis-configuration. I was pretty lost when I was reading about encryption domains. I did all configuration using the gui.

    sw version: R77.20.20 (990170830) a new version is available but I haven't had time to update both boxes and deal with the issue that might come of it. Last upgrade didn't go well.

    stand-alone management.

    Site 1 encryption domain.
    Click image for larger version. 

Name:	site 1 encr domain.jpg 
Views:	200 
Size:	57.5 KB 
ID:	1175

    Tools: vpn tu and vpn trunc
    It does appear I have these tools. I putty'd into box and issued both and got responses. If you can assist with some syntax and process I can provide the info.

    I've captured an ike.elg while doing a ping from 10. to 192. I have ikeview. Can you tell me what/where to look for pertinent data. I don't want to post the file as it contains my public IP's.

    Thanks,

  6. #6
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    11

    Default Re: Routing question on 2 680's that are vpn'd together.

    Quote Originally Posted by roveer View Post
    Thanks for the detailed explanation. I'm sure we are probably going to find a mis-configuration. I was pretty lost when I was reading about encryption domains. I did all configuration using the gui.

    sw version: R77.20.20 (990170830) a new version is available but I haven't had time to update both boxes and deal with the issue that might come of it. Last upgrade didn't go well.

    stand-alone management.

    Site 1 encryption domain.
    Click image for larger version. 

Name:	site 1 encr domain.jpg 
Views:	200 
Size:	57.5 KB 
ID:	1175

    Tools: vpn tu and vpn trunc
    It does appear I have these tools. I putty'd into box and issued both and got responses. If you can assist with some syntax and process I can provide the info.

    I've captured an ike.elg while doing a ping from 10. to 192. I have ikeview. Can you tell me what/where to look for pertinent data. I don't want to post the file as it contains my public IP's.

    Thanks,
    Hold on please!
    Why don't you have 10.1.1.0/24 network present on the last attached print screen showing Encryption domain?

  7. #7
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    17

    Default Re: Routing question on 2 680's that are vpn'd together.

    I noticed that too when I was posting the ED. Since I do all the configuring via the gui and the ED is set to manual I'm assuming that it doesn't automatically place any new subnets. I did throw it in yesturday as a quick test and it didn't seem to make a difference. I just looked, it's been in there overnight and I just tried from site 2 to site 1 and it still doesn't work.

    Do I have to define the 10. network on site 2 router in any way?
    Last edited by roveer; 2016-11-09 at 09:48.

  8. #8
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    17

    Default Re: Routing question on 2 680's that are vpn'd together.

    Any ideas what I can/should do next? I did place this subnet into the routers Encryption Domain. Didn't seem to make a difference.

  9. #9
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,668
    Rep Power
    14

    Default Re: Routing question on 2 680's that are vpn'd together.

    Quote Originally Posted by roveer View Post
    Any ideas what I can/should do next? I did place this subnet into the routers Encryption Domain. Didn't seem to make a difference.
    that missing 10. segment was for sure a major configuration issue. Did that change what you see in the logs? You should be looking on both firewalls.

    any chance a nat is messing with things? There should be a option to disable nat on the vpn community as a test.

  10. #10
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    17

    Default Re: Routing question on 2 680's that are vpn'd together.

    nat is disabled on both sides on the vpn configuration.

    where should I be looking in the logs? The appliance logs usually don't provide much information. I did pull an ike.elg and I do have ikeview but I'm not sure how to interpret what I am seeing. A little info and I should be able to figure it out. I'm fairly resourceful and willing to work and learn.

    Thanks,

    Roveer

  11. #11
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,668
    Rep Power
    14

    Default Re: Routing question on 2 680's that are vpn'd together.

    Quote Originally Posted by roveer View Post
    nat is disabled on both sides on the vpn configuration.

    where should I be looking in the logs? The appliance logs usually don't provide much information. I did pull an ike.elg and I do have ikeview but I'm not sure how to interpret what I am seeing. A little info and I should be able to figure it out. I'm fairly resourceful and willing to work and learn.

    Thanks,

    Roveer
    Do a filter for the vpn blade in one session, attempt to send traffic to the 10.x and watch the logs on both firewalls.

    If you don't see anything on the vpn blade that looks like a failed key exchange or something then look for hits on the ip of the 10.x host.

    As far as ikeview, you're looking for anything that is red.

    IPSEC has 2 phases and since you have a working connection between two networks that tells me phase 1 is good.

    Real quick, phase 1 is basically just chatter between the peers.
    phase 2 deals with what network is behind which peer.

    My guess is if its a vpn connection failing is phase 2. Issues you might see is one firewall is advertising a subnet bigger then you expect, lots of history on this issue.

    in ikeview you'll be able to see phase 2 stuff listed as P2. Then look on the right window for the subnets. If you don't see any red in ikeview my guess is there is a new issue. The 10.x subnet missing from the remote encryption domain is an issue.

    I'll have to swing through your screen shots again. I'm pretty bad about missing stuff that was already posted.


    Hopefully thats enough to get you back into looking at stuff. tcpdump or packet capture on the 10.x host might be usefult also. Maybe the traffic is really getting there but not going back for some reason.

  12. #12
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,668
    Rep Power
    14

    Default Re: Routing question on 2 680's that are vpn'd together.

    BTW can you show the remote encryption domain from both site 1 and site 2?

  13. #13
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    17

    Default Re: Routing question on 2 680's that are vpn'd together.

    Absolutely. How do I see a "remote encryption domain"? I only see a "local encryption domain" from the GUI so I'm assuming I have to get it from the cli? Can you help with the command. I'm also looking for same as I write this.

    Roveer

  14. #14
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,668
    Rep Power
    14

    Default Re: Routing question on 2 680's that are vpn'd together.

    Quote Originally Posted by roveer View Post
    Absolutely. How do I see a "remote encryption domain"? I only see a "local encryption domain" from the GUI so I'm assuming I have to get it from the cli? Can you help with the command. I'm also looking for same as I write this.

    Roveer
    VPN tab -> VPN sites -> edit the vpn -> Remote Site tab

    scroll down to Remote Site Encrypton Domain.

    So site 1 should show all of site 2's networks in this section

    site 2 should show all of site 1's networks. Both sides should also be set to manual FYI.

  15. #15
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    17

    Default Re: Routing question on 2 680's that are vpn'd together.

    I just found another encryption domain in the GUI. This one is called "remote access local encryption domain". It was set to automatic on both routers. Maybe it needs to be set to manual and subnets placed in each?

    Click image for larger version. 

Name:	raed.jpg 
Views:	244 
Size:	227.8 KB 
ID:	1177

  16. #16
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    17

    Default Re: Routing question on 2 680's that are vpn'd together.

    Quote Originally Posted by jflemingeds View Post
    VPN tab -> VPN sites -> edit the vpn -> Remote Site tab

    scroll down to Remote Site Encrypton Domain.

    So site 1 should show all of site 2's networks in this section

    site 2 should show all of site 1's networks. Both sides should also be set to manual FYI.
    THAT FIXED IT!!!

    The site 2 only had the main 172 subnet of site 1. It didn't have the 10. subnet. I just added it on site 2's rem enc dom and I can now access that 10 network from site 2.

    Many many thanks for helping me find my problem.

    I'm guessing it was 2 fold. First, didn't have the 10 network in the local encryption domain and second I didn't have the 10 network in the remote encryption domain at site 2.

    Again my thank,

    Roveer

  17. #17
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,668
    Rep Power
    14

    Default Re: Routing question on 2 680's that are vpn'd together.

    Quote Originally Posted by roveer View Post
    THAT FIXED IT!!!

    The site 2 only had the main 172 subnet of site 1. It didn't have the 10. subnet. I just added it on site 2's rem enc dom and I can now access that 10 network from site 2.

    Many many thanks for helping me find my problem.

    I'm guessing it was 2 fold. First, didn't have the 10 network in the local encryption domain and second I didn't have the 10 network in the remote encryption domain at site 2.

    Again my thank,

    Roveer
    good to hear!

Similar Threads

  1. Vpn routing question
    By aritz in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2011-04-29, 11:01
  2. VPN/Blackhole routing question
    By stretch in forum Topology Issues
    Replies: 1
    Last Post: 2009-02-17, 03:44
  3. Source routing / NAT? question
    By gswallow in forum Check Point SecurePlatform (SPLAT)
    Replies: 3
    Last Post: 2008-06-11, 15:24
  4. NGX R60, NAT and Routing question?
    By nesysen in forum NAT (Network Address Translation)
    Replies: 5
    Last Post: 2007-03-29, 05:36
  5. Static Routing Question
    By robori in forum Topology Issues
    Replies: 1
    Last Post: 2006-12-03, 06:53

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •