CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 17 of 17

Thread: OSPF Route-based VPN questions

  1. #1
    Join Date
    2013-05-06
    Posts
    20
    Rep Power
    0

    Default OSPF Route-based VPN questions

    Hello,

    I am attempting to convert an existing regular Mesh VPN network to a route-based VPN using OSPF. However, I seem to be doing something wrong. I'll describe the steps I've performed, and results.

    1) Create VTI's on each peer refering to each other peer. Example:
    GW1 (4600 device R80.10)
    * VTI2 (to GW2) - 10.0.0.2
    * VTI3 (to GW3) - 10.0.3.2
    * VTI4 (to GW4) - 10.0.4.2
    GW2 (4600 device R80.10)
    * VTI2 (to GW1)- 10.0.0.3
    * VTI5 (to GW3) - 10.0.5.2
    * VTI6 (to GW4) - 10.0.6.2
    GW3 (1100 device R77.20)
    * VTI3 (to GW1)- 10.0.3.3
    * VTI5 (to GW2)- 10.0.5.3
    * VTI8 (to GW4)- 10.0.8.2
    GW4 (1100 device R75.20)
    * VTI4 (to GW1) - 10.0.4.3
    * VTI6 (to GW2)- 10.0.6.3
    * VTI8 (to GW3) 10.0.8.3

    2) I then added all the VTI interfaces as OSPF members in a backbone area, and added the internal physical interface.

    3) I went to SmartConsole, fetched topology on each member gateway, added a rule to allow OSPF, and then pushed policy to all gateways.

    4) Tunnel appears to be up (as checked in vpn tu and Smart console monitor functions). However, I can't seem to ping across them (from VTI IP to VTI IP), and ospf neighbors are not being established across the VPN. The 2 4600s establish OSPF neighbors with the adjacent switch, as expected, and advertise /32 routes from the VTIs. The 1100s seem to be dropping the OSPF traffic (Clear text packet should be encrypted).

    I have found comments regarding removing/emptying the encryption domain of the VPNs. This I havenít done yet, and there are existing static routes left in place pointing at networks through the physical interfaces.

    Any advice on this would be appreciated

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,461
    Rep Power
    8

    Default Re: OSPF Route-based VPN questions

    Yeah start with empty enc domain. That for sure is a problem.

  3. #3
    Join Date
    2013-05-06
    Posts
    20
    Rep Power
    0

    Default Re: OSPF Route-based VPN questions

    What happens if the domain isn't emptied on all members of the community? I ask because I'd like to test by removing it from two sites and confirm they can peer and such without affecting resources during business hours.

    For testing, I isolated 2 members in their own community and gave them an empty group for their encryption domain. show ospf neighbors produces no results, but upstream switches OSPF is off, as it was apparently causing exchange issues. I would think neighbor relationsihp between FWs should still establish. Cannot ping the VTI across the tunnel
    Last edited by jcstefansson; 2 Weeks Ago at 10:24.

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,461
    Rep Power
    8

    Default Re: OSPF Route-based VPN questions

    Quote Originally Posted by jcstefansson View Post
    What happens if the domain isn't emptied on all members of the community? I ask because I'd like to test by removing it from two sites and confirm they can peer and such without affecting resources during business hours.

    For testing, I isolated 2 members in their own community and gave them an empty group for their encryption domain. show ospf neighbors produces no results, but upstream switches OSPF is off, as it was apparently causing exchange issues. I would think neighbor relationsihp between FWs should still establish. Cannot ping the VTI across the tunnel
    Are you mixing domain and vti vpns? You could use vpn tu to clear any relation SPIs setup. When you say you can't ping across the vti are you still getting encryption errors? If so ospf isn't going to work until you can pass data acrcoss the vti.

    I think the key to the encryption domain is really that the encrypted traffic not match something in the encryption domain and that is how you can mix the two.

    BTW what does you ospf rule look like?

  5. #5
    Join Date
    2013-05-06
    Posts
    20
    Rep Power
    0

    Default Re: OSPF Route-based VPN questions

    At the moment, it is anyInternalNetworks-any-ospf-allow.

    The goal is to migrate totally to a ospf route based vpn, but until we get it working, there's a mix of domain and route based in the community. I can temporarily isolate the route based if need be.

  6. #6
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    90
    Rep Power
    11

    Default Re: OSPF Route-based VPN questions

    Quote Originally Posted by jcstefansson View Post
    What happens if the domain isn't emptied on all members of the community? I ask because I'd like to test by removing it from two sites and confirm they can peer and such without affecting resources during business hours.

    For testing, I isolated 2 members in their own community and gave them an empty group for their encryption domain. show ospf neighbors produces no results, but upstream switches OSPF is off, as it was apparently causing exchange issues. I would think neighbor relationsihp between FWs should still establish. Cannot ping the VTI across the tunnel
    The encryption domains will definitely be a problem. They are consulted very early in the inspection of a packet (long before the routing decision) to determine whether the firewalls should encrypt it and if so, to which peer. To the firewalls, VTIs are just really, really long Ethernet cables connecting the firewalls directly. You need the connection not to be flagged for encryption before it tries to go out the VTI.

    The other major implication of this is related to rule configuration. When you specify a community in a rule, it requires the regular community matching with encryption domains. Traffic on VTIs does not match rules which require a particular VPN community. Be sure your rules for OSPF (and other traffic you want to cross the VPN) are set to Any Traffic.

    You can do this piecemeal, but it's per-gateway, not per-peering. Set one of the firewalls' encryption domains to an empty group and it will fall off of the regular VPN decision process. The others will still work between each other, as they still have their own encryption domains. All VPN decisions related to the one with the empty group would then be made by routing. I did this in a lab environment a few months ago and it definitely works.

    IMPORTANT NOTE: Be absolutely sure you have access to the one you pick which does not depend on the VPN. That way, if the VPN does not come up, you will be able to troubleshoot it effectively.
    Zimmie

  7. #7
    Join Date
    2013-05-06
    Posts
    20
    Rep Power
    0

    Default Re: OSPF Route-based VPN questions

    So the odd bit to me is that GW1 can talk to GW4 over the VTI (can ping the peer VTI), but the rest of the tunnels seem to be nonfunctional. What's extra weird about that is that GW4 still has it's 'normal' encryption domain, it's the 3 that have empty ones that aren't working.

    I was thinking maybe it was a link selection issue, because the SA I see under vpn tu is a local address, but I see that the external interface is selected under link selection in Console.

    Edit: So I updated the primary IPs of the gateways to be their external IPs. This fixed the VTI communication issue, but unfortunetly, the remote gateway doesn't behave well with policy pushes to it's external. I'm able to fetch policy to force updates, but that's not a acceptable long term state.
    Last edited by jcstefansson; 2 Weeks Ago at 12:47.

  8. #8
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,461
    Rep Power
    8

    Default Re: OSPF Route-based VPN questions

    Quote Originally Posted by jcstefansson View Post
    So the odd bit to me is that GW1 can talk to GW4 over the VTI (can ping the peer VTI), but the rest of the tunnels seem to be nonfunctional. What's extra weird about that is that GW4 still has it's 'normal' encryption domain, it's the 3 that have empty ones that aren't working.

    I was thinking maybe it was a link selection issue, because the SA I see under vpn tu is a local address, but I see that the external interface is selected under link selection in Console.

    Edit: So I updated the primary IPs of the gateways to be their external IPs. This fixed the VTI communication issue, but unfortunetly, the remote gateway doesn't behave well with policy pushes to it's external. I'm able to fetch policy to force updates, but that's not a acceptable long term state.
    Are you trying to route mgmt server access over a VTI by chance? I'd check routing in both directions to verify.

  9. #9
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    90
    Rep Power
    11

    Default Re: OSPF Route-based VPN questions

    Quote Originally Posted by jflemingeds View Post
    Are you trying to route mgmt server access over a VTI by chance? I'd check routing in both directions to verify.
    This is one of the major dangers of route-based VPNs. The firewalls need to be able to hit the SmartCenter to fetch the CRL. If they try to go over the VPN to get to the SmartCenter, you wind up with a circular problem. Can't get to the CRL to bring the VPN up without the VPN being up. It's easy to manage with encryption domains (just don't put the SmartCenter in the encryption domain).

    With route-based VPNs, you could use more specific routes to force traffic to the management server to not use the VTI. This is a bit fragile long-term (easy to forget you did it). On GAiA, you can use policy-based routing to instead route anything involving certain TCP ports (such as 18264 for CRL fetching) out your Internet pipe instead of the VTI. Again, easy to forget you've configured it, but it's perhaps a little less likely to break.



    I would run an fw monitor on the firewalls close to the SmartCenter and on the firewall you're trying to push to. See exactly what happens when you try to push policy and when you try to fetch. That should let you figure out how to change the push to get it working.
    Zimmie

  10. #10
    Join Date
    2013-05-06
    Posts
    20
    Rep Power
    0

    Default Re: OSPF Route-based VPN questions

    The OSPF neighbor relationship isn't establishing and there's a specific host entry for the Mgmt on the remote gateway which I would THINK should cause it to route out the internet and not on the VPN. Traceroute from the managemnt leads to a timeout after it hits the local firewall, but traceroute from the local firewall shows the remote fw a single hop away (external interfaces share a subnet.

    I noticed that gaia config line I added to tell the remote firewall seems to remove itself periodically. I'm unsure why this is.

    Fw monitor during the push shows plenty of inbound traffic and it looks like it's conversing (I see replies back), but policy push still fails with TCP connectivity error (monitoring is sitll working, I can see active exchanges continuning on FW Monitor).

    I'm up to GW1 can talk to GW2 and GW3, but not GW4. GW2 is the same (can talk to all peers except GW4). GW3 can talk to GW1 and 2, but not 4. None of them are establishing OSPF neighbor relationships however.

    I see a number of drops on Gw4 about Main Mode Peer does not support IKE. However, Monitoring on Console and on the 1100 itself show the tunnel is up
    Last edited by jcstefansson; 2 Weeks Ago at 15:54.

  11. #11
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    636
    Rep Power
    5

    Default Re: OSPF Route-based VPN questions

    I had setup this 2 years ago: VPN ENC domains are empty on all route-based FWs. I was lucky that I started from scratch so I could test and tweak without any time pressure.

    FW rules state as 1st rule: allow OSPF

    Click image for larger version. 

Name:	Capture2.jpg 
Views:	8 
Size:	21.0 KB 
ID:	1354

  12. #12
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    90
    Rep Power
    11

    Default Re: OSPF Route-based VPN questions

    Quote Originally Posted by jcstefansson View Post
    The OSPF neighbor relationship isn't establishing and there's a specific host entry for the Mgmt on the remote gateway which I would THINK should cause it to route out the internet and not on the VPN. Traceroute from the managemnt leads to a timeout after it hits the local firewall, but traceroute from the local firewall shows the remote fw a single hop away (external interfaces share a subnet.

    I noticed that gaia config line I added to tell the remote firewall seems to remove itself periodically. I'm unsure why this is.

    Fw monitor during the push shows plenty of inbound traffic and it looks like it's conversing (I see replies back), but policy push still fails with TCP connectivity error (monitoring is sitll working, I can see active exchanges continuning on FW Monitor).

    I'm up to GW1 can talk to GW2 and GW3, but not GW4. GW2 is the same (can talk to all peers except GW4). GW3 can talk to GW1 and 2, but not 4. None of them are establishing OSPF neighbor relationships however.

    I see a number of drops on Gw4 about Main Mode Peer does not support IKE. However, Monitoring on Console and on the 1100 itself show the tunnel is up
    What do you see in a tcpdump on the VTI? Does any traffic at all come from the peer? Is the firewall sending OSPF hellos out?
    Zimmie

  13. #13
    Join Date
    2013-05-06
    Posts
    20
    Rep Power
    0

    Default Re: OSPF Route-based VPN questions

    Quote Originally Posted by Bob_Zimmerman View Post
    What do you see in a tcpdump on the VTI? Does any traffic at all come from the peer? Is the firewall sending OSPF hellos out?
    So when the tunnel is up, I don't seem to see any traffic going across it. I do see the OSPF hello packet counter increment, but I never actually see the packet on the tcpdump.

  14. #14
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,461
    Rep Power
    8

    Default Re: OSPF Route-based VPN questions

    Quote Originally Posted by jcstefansson View Post
    So when the tunnel is up, I don't seem to see any traffic going across it. I do see the OSPF hello packet counter increment, but I never actually see the packet on the tcpdump.
    I donít think tcpdump works on the vti interface. You need to use fw monitor. I think the filter would be like Ďip_p=89,accept;í

    Oh and turn off secure off securexl before running monitor.

    Donít copy and paste the quote marks. They might come down as Unicode.

  15. #15
    Join Date
    2013-05-06
    Posts
    20
    Rep Power
    0

    Default Re: OSPF Route-based VPN questions

    Spent some more time on this this morning.

    Figured out what the policy push issue was, there was a no-NAT rule for management to firewall traffic (because it normally goes over fiber MPLS). I disabled that and then I was able to push policy. That also fixed OSPF and VPN between the 2 4600s.

    Now I'm working on getting the 1100s to participate in the policy-based community and establish OSPF relationships. Tunnels on them are up (I can ping the VTIs of both 1100s now).

    Filtering for 89 with fw monitor, I see the hello, found it being dropped (because the destination is 224.0.0.5, not the IP of the other gateways), added a rule to allow that. I've now got GW1,2, and 3 peer'd and communicating, and 4 is talking 1, but not 2 or 3. Looking into this more to figureo ut the config difference.

  16. #16
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,461
    Rep Power
    8

    Default Re: OSPF Route-based VPN questions

    How is this going?

  17. #17
    Join Date
    2013-05-06
    Posts
    20
    Rep Power
    0

    Default Re: OSPF Route-based VPN questions

    Quote Originally Posted by jflemingeds View Post
    How is this going?
    So we had it all up and going (except the one site that needed a firmware upgrade), and it went down when we pushed policy. We were able to inconsistently replicate this failure, but unable to diagnose it. After going down, it would stay down for 5-10minutes then come back up. I think one of the times we got it come back by purging IKE SAs and the connection table, but it also could have been a time out. We wound up being forced to roll back to domain based for now.

    Having a meeting to discuss whether we even need route-based, as the MPLS links are on a switch behind the firewall, so we could just do route injection by RIM and it seems at this point like that'd be the easier option.

    On the positive side, the ospf routing definitely worked, as at one point we were routing around a down tunnel to reach a site.

    Edit: Realizing that I didn't update the results of the test on GW4: We found that the 1100 running R75.20 could establish a tunnel with whichever site reached it first, but only the first site. Any further sites would fail. Upgrade to R77.20.20 should solve this.

Similar Threads

  1. Route based vs policy based vpn
    By iamramu92 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2016-11-23, 06:32
  2. Implementing Route based VPN & Domain based VPN on same gateway cluster
    By jakefury in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2015-11-05, 09:30
  3. Route Based VPN (with OSPF)
    By Testing-123 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2011-01-06, 18:19
  4. route based vpn/ospf issue
    By CBN_IN_NZ in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2010-09-09, 06:40
  5. How to establish route-based routing between IP60 and IPSO based IP560
    By redbear in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 4
    Last Post: 2007-09-26, 00:37

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •