- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN to Checkpoint with encryption domain outside local network
Hello,
Being a network-admin-by-accident I'm facing the following issue:
I have to establish a VPN connection to a Bank. On their end they have a Checkpoint, me I'm enjoying the cosy world of Fortigate. They provided me with an encryption domain, which is not part of my local network. From what I understood with Checkpoint the encryption domain would be the remote network (from Checkpoint point of view).
I'll try to describe what the setup looks like:
192.168.1.1/24 (local network) -> 10.11.12.13/32 (encryption domain) -> 172.16.17.0/24 (remote network)
I successfully established the tunnel:
diagnose vpn tunnel list name VPN_CHECKPOINT
list ipsec tunnel by names in vd 0
------------------------------------------------------
name=VPN_CHECKPOINT ver=2 serial=9 1.2.3.4:0->4.3.2.1:0 dst_mtu=1500
bound_if=22 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=11 ilast=18 olast=27432 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=VPN_CHECKPOINT proto=0 sa=1 ref=2 serial=7 auto-negotiate
src: 0:10.11.12.13:0
dst: 0:172.16.17.0/255.255.255.0:0
SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=867/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=3301/3600
dec: spi=897b04f1 esp=aes key=32 4bf69c3e0baf81058168d547b657cb8611ff97befd9c97d116610abe73b7c147
ah=sha256 key=32 7eca988a785b9b0fbfce12088310eb2b75f8735d5b3e9eb5b6c0f5a4fcc62776
enc: spi=7be52b29 esp=aes key=32 5b222fef11a9c32bfc3917d7f48487e0aed2133b5a235ba7b50283c8f32cc0c2
ah=sha256 key=32 d5ed971452e8434548f71f51787a2858b3c03587f2166448ac6c4e7fe62c6c08
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
npu_flag=00 npu_rgwy=4.3.2.1 npu_lgwy=1.2.3.4 npu_selid=18 dec_npuid=0 enc_npuid=0
run_tally=1
Where I fail is setting up the rules/routing. How do I tell the Fortigate to route all traffic to 172.16.17.0/24 via this specific VPN and NAT'ting everything with IP 10.11.12.13?
Any help is appreciated.
Regards
Solved! Go to Solution.
- Labels:
-
6.4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
easy as 1-2-3
1st you need a route pointed out the interface named in your phase1-interface
config router static
edit 0
set dst 172.16.17.0/24
set dev VPN_CHECKPOINT
end
next, I would setup a ip nat pool and use that in your fwpolicy and a network-object
config firewall ippool edit "10.11.12.13" set startip 10.11.12.13 set endip 10.11.12.13 nextend
config firewall address
edit 172.16.17.0_24
set subnet 172.16.17.0/24
end
and last a policy that allows traffic
config firewall policy
edit 0 set srcintf "BLAHBLAH" set dstintf "VPN_CHECKPOINT" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "HTTP" "HTTPS". <----add what you need for services set nat enable set ipppol enable set poolname 10.11.12.13 next
And monitor the policy on the firewalls
On the checkpoint they should see a inbound_SPI from your peer for 10.11.12.13
e.g from cli-expert
fw tab -t inbound_SPI -f -m | grep 10.11.12.13 fw tab -t vpn_routing -f -m | grep 10.11.12.13
or
vpn shell /show/tunnel/ike/peer all | grep -C 8 < public address or name of vpn-community >
vpn shell /show/tunnel/ipsec/peer all | grep -C 8 < public address or name of vpn-community >
My bill rate is 180 p/hr ;)
Ken Felix
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
easy as 1-2-3
1st you need a route pointed out the interface named in your phase1-interface
config router static
edit 0
set dst 172.16.17.0/24
set dev VPN_CHECKPOINT
end
next, I would setup a ip nat pool and use that in your fwpolicy and a network-object
config firewall ippool edit "10.11.12.13" set startip 10.11.12.13 set endip 10.11.12.13 nextend
config firewall address
edit 172.16.17.0_24
set subnet 172.16.17.0/24
end
and last a policy that allows traffic
config firewall policy
edit 0 set srcintf "BLAHBLAH" set dstintf "VPN_CHECKPOINT" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "HTTP" "HTTPS". <----add what you need for services set nat enable set ipppol enable set poolname 10.11.12.13 next
And monitor the policy on the firewalls
On the checkpoint they should see a inbound_SPI from your peer for 10.11.12.13
e.g from cli-expert
fw tab -t inbound_SPI -f -m | grep 10.11.12.13 fw tab -t vpn_routing -f -m | grep 10.11.12.13
or
vpn shell /show/tunnel/ike/peer all | grep -C 8 < public address or name of vpn-community >
vpn shell /show/tunnel/ipsec/peer all | grep -C 8 < public address or name of vpn-community >
My bill rate is 180 p/hr ;)
Ken Felix
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ken,
You just made my day.
Worked like a charm!
Thanks a lot for your help and if ever I need paid help I surely will get back to you.
Enjoy your evening (for me it's time to go to bed, I'm in Europe ;))
Cheers!
Simon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
good
Just remember to always use the post-NAT address in the phase2/vpn-communities
Ken Felix
PCNSE
NSE
StrongSwan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
U will need to create a IP pool whereby you will map yr external subnet to the yr local LAN.
Then, create a VIP to Nat one-to-many.
Then, update this VIP grp on the outgoing policy under NAT "use Dynamic IP Pool". then in the incoming Policy, change yr dest to IP Pool. Done.
