I've done this setup before, as much as I hate it, but it's been a while.
I've been trying to setup an interface-based tunnel with a 3rd party using a Checkpoint.
We can get the tunnel to establish but traffic never gets accepted on his side so we send he doesn't receive.
We are trying to send two source IP ranges to a number of destination ranges.
The source ranges are 10.4.8.0/22 and 10.6.8.0/22 and the destinations are 10.152.20.0/24, 10.152.24.0/24, 10.152.21.0/24 and 10.152.128.0/24.
I set quick mode selectors between all networks and we get the tunnel established without difficulty.
The problem is we can't get any traffic to flow. I can see the outgoing traffic, and he can see it on his firewall but his firewall will not encrypt it.
After working with Checkpoint on it, they told him the issue is an overlapping subnet. They have defined the full 10.0.0.0/8 network on their Checkpoint firewall. I called BS slightly at that being the issue because we have a similar tunnel to them with ranges in that network from a different firewall that works fine. The main difference is the source is 10.0.8.0/22 and destinations are different.
At any rate - Checkpoint and the tech asked me if I could double-nat to ranges not defined on their firewall, so I tried this:
Setup IP Pool for 10.4.8.0/22 to 192.168.12.0/22 and a pool for 10.6.8.0/22 to 192.168.16.0/22.
I adjusted the policies from 10.4.8.0/22 and 10.6.8.0 to the destinations to NAT to the IP Pool. If I check traffic from a test device in 10.4.8.0, I see it has NATed to 192.168.12.1 as I'd expect and trying to get to their destination. The tech on the other end swears he configured it right on his Checkpoint and repushed policy, but can't see the 192.168.12.1 traffic at all.
What confused me a little and had me question my config was when he told me the Quick Mode selectors were still establishing at 10.4.8.0/22 network.
Now - I never changed the Quick Mode Selectors, because I'd never thought to do that and because the tunnel establishes, just no traffic flow.
Any suggestions? Have I missed something in my double-natting? Are the Quick Mode selectors a red herring?
Thanks!
Brent
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
The diag debug flow is your friend but you need to ensure the proxy-ids are unique on both ends. I tow call bullshit since what you explain with the src/dst subnets are NOT in any whey duplicated between the FGT-<>-CHKP. Maybe those networks are duplicate with another vpn-tunnel that you mention later.
Either, your cfg is correct it's probably 1> fwpolicy 2> lack or improper route 3> CHKP encryption domain is in correct or a combination of the above.
FGT
diag debug flow
diag vpn tunnel list name <insert tunnel name2 chkp>
CHKP
SC & encryptionRules should be looked at
the fw monitor should be used
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.