Avatar of alimohammed72
alimohammed72 asked on

Site to Site Tunnel

Hi
I am trying to establish Site to Site VPN between two sites.The peer site has public IP on their VPN gateway but the other site (My home) is as follows....

I have checkpoint  UTM-1 Edge X  appliance at my home that is behind Linksys router .The ip addresses on the appliance interfaces are  WAN=192.168.1.10 LAN= 10.1.1.1.

The Linksys has WAN=67.226.X.X ,LAN=192.168.1.1

The question is ,Can we establish the tunnel with this configuration  ?the reason being that the WAN interface on checkpoint appliance is not public but rather private and NATed.


Thanks in Advance
Software FirewallsVPN

Avatar of undefined
Last Comment
The--Captain

8/22/2022 - Mon
arnold

You have a double NAT which could pose a problem.  What are the LAN IPs and netmask of the Peer site:
It can not use 192.168.1.0; 10.0.0.0 255.0.0.0 or any other segment option that would include your 10.1.1.0/24.

Yes, You still can setup a site to site by configuring the linksys to forward ports 500 (IPSEC),4500 (IPSEC NAT-T) to the WAN side of the Checkpoint.
On the other hand, do you have some devices that connect to the linksys and you want other devices protected by the Checkpoint?
Or is the linksys serves as a wireless access point as well?
ASKER
alimohammed72

Linksys is my personal lan router .My workplace want me to work from home using their appliance i.e checkpoint appliance.I am trying to plug it into one of the lan ports of linksys so that i do not have  to remove my linksys and also keep my company happy but question is can we do it ? Has anyone ttried this kind of setup?
arnold

Yes it is doable.  The only Network related thing to address is you must make sure that the IPs used on your Linksys are different then those at your work.
Actually since the appliance at your end will be initiating the VPN, you might not need to open any ports on the linksys, but make sure that IPSEC passthrough is enabled.
Did you or your employer setup the appliance?  You might fair better by not using a 10..x.x.x based network behind the appliance. Look at using some in the higher ranges of 192.168.x.y where x is in the 200's. Or 172.x.s.i where x is between 22 and 30 (out of the normal range of 16-31).
Check with your VPN/Networking folks to make sure the IP ranges you pick are not in use internally or in the location to which you need access.
My guess is that most of your setup relies on DHCP so switching DHCP configuration on the Linksys or on the appliance will not cause you too much trouble/hustle.

Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
alimohammed72

my lan is using 192.168.1.0 subnet on Linksys

my work is using 10.1.1.0 /24 subnet on checkpoint LAN and I cannot change this .Checkpoint Wan is using  192.168.1.10 (this is connected to linksys)

I setup checkpoint appliance ...
I checked the log on appliance ,it says tunnel is established but i am not able to ping anything on destination (10.0.0.0/8) not able to connect o mail server etc...
ASKER
alimohammed72

MAILSERVER is 10.94.16.8
arnold

You can not use 10.1.1.x as the LAN side on the Checkpoint appliance!
This is where your problems are.  You have an IP overlap.
The tunnel might get setup between the Checkpoint appliance and the office. But when you try to access anything in the office where the IP is 10.1.1.x those packets are seen by your computer as local to its segment since it is also has an IP on 10.1.1.x.

Reconfigure your Checkpoint appliance to use for example a 172.25.245 x network and you should be set with the workstation behind the Checkpoint appliance accessing resources in the office.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
alimohammed72

i am using Hide-NAT on the appliance to avoid overlap
arnold

You are double NAtted. I.e. the linksys NATs, then your checkpoint NATs.
Is it an option for test out a possible IP overlay conflict even with the steps you've taken? Alter the LAN IPs to be on the 172.16-31 network block.  Trying to stay away from the same segments on the LAN from the one on the linksys and the one at the office.
See if that makes a difference,  Is placing the Appliance front and center replacing the linksys an option?
 
ASKER
alimohammed72

so double Natt does not work for VPN ?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
arnold


A VPN can be established through a double NAT, but the Segments used in the VPN path can not exist on both sides.
Your EDGE-X appliance has a 192.168.1.x IP address for the WAN.
Your Linksys LAN IP segment is also on the same 192.168.1.x.

Change one of the LAN networks to something other than 192.168.1.x and see if that fixes.
ASKER
alimohammed72

because EDGE-X  WAN is connected to one of the ports on the LAN side of Linksys that is why they are on the same LAN and that is how I wanted as I want Edge to be behind Linksys
arnold

Are you testing your VPn setup while the appliance is behind a linksys?
You may need to disable the check on the linksys that deals with same interface traffic which is how your VPN connection is seen.
comin out of the lan going out of the wan and then tries to come back in through the wan.

This might be what is preventing the VPN from establishing in addition to the same IP segment overlay.

The setup you outline can work as long as there are no IPs that could be in conflict.  The use of the 192.168.1.x is such a condition that may pose a problem.
Your Linksys will advertise the 192.168.1.x as a LAN in the VPN which your router already sees as its WAN.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
The--Captain

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question