Security

Reply
Occasional Contributor II

7210 behind Checkpoint firewall not doing UDP4500

Hi,

Setting up a remote VPN solution using a 7210 controller (working to Clearpass).

For security reasons, I have placed the controller behind a firewall. This is having traffic hit the public IP; Checkpoint NATs this to an internal address which the controller has.

The checkpoint firewall is set to allow UDP&TCP 500/4500 - so should be all the IKE ports.

I can see traffic coming through; but when the controller starts to negotiate the traffic through UDP 4500; it fails and does not progress to this stage. It negotiates UDP500; the next part of this VPN should then be UDP 4500 but the controller never sees that phase.

I checked the firewalls logs; can see UDP4500 being sent but the controller doesn’t get that far when I check the controllers logs.

Does anyone know if there’s something different you need to do when the controller is behind a firewall with NAT? Is this checkpoint being funny? (I enabled any port on the rule to see and it still has same behaviour).

Do I have to do something to controllers internal firewall by default?

Thanks
Guru Elite

Re: 7210 behind Checkpoint firewall not doing UDP4500

Is this a site to site vpn?  If that is the case, you need to enable the "Enforce NAT-T" option in the site to site vpn configuration to only use UDP-4500


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor II

Re: 7210 behind Checkpoint firewall not doing UDP4500

It’s a VPN solution for end users ... I can see from the logs that they start the negotiations on UDP 500, then it progresses to UDP 4500 and doesn’t go any further. Almost like it hits that port but can’t negotiate properly.

I’m struggling to see if it’s a config issue on the controller or something the firewall is doing with that port.
Guru Elite

Re: 7210 behind Checkpoint firewall not doing UDP4500

Highlighted
Occasional Contributor II

Re: 7210 behind Checkpoint firewall not doing UDP4500

Will be using native Windows 10 client for VPN
Occasional Contributor II

Re: 7210 behind Checkpoint firewall not doing UDP4500

If I test UDP4500 to the controller it shows it on the “show datapath session | include 4500” command

It shows when I generate some bogus traffic on that port ... I think this shows checkpoint is letting the traffic through.

This must be something on the controller not allowing the negotiations to proceed to the next phase?
Guru Elite

Re: 7210 behind Checkpoint firewall not doing UDP4500

Why don't you try a client on the same side of the firewall, so you can see all of the traffic...


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
MVP Guru

Re: 7210 behind Checkpoint firewall not doing UDP4500

I have seen in the past (that is 10+ years ago) issues with Check Point where it decapsulated UDP4500 traffic (into IKE/ESP) while it traverses the firewall. The firewall should not inspect/touch the traffic. I had to create a new service on udp port 4500 that does not do any inspection, and use that explicitly in the matching rule to prevent the firewall to touch the VPN traffic.

 

Did not touch a Check Point since long time, so can't really tell if this behavior is still the case or where to exactly click. Bottom line, the firewall may destination-NAT the traffic but should not touch it in other ways.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Occasional Contributor II

Re: 7210 behind Checkpoint firewall not doing UDP4500

Good suggestion; the problem was the controller was NAT’d behind the gateway IP of the firewall itself. Proxy arp on a new public IP solved the issue.

Essentially, an implicit rule within Checkpoint was blocking this traffic as it must presume the traffic was destined for the gateway itself. Strange because it showed as accepted in the logs; but turn on accounting in the log and it shows zero packet size.

I enabled the NAT to work behind a different address in the public Ip subnet and it went through fine.

Got to love Checkpoint on stuff like this ...
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: