The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
When connected with L2TP client to Security Gateway's alias IP address, the returned encrypted traffic is sent out with source IP address of the physical interface
|
Technical Level
|
Solution ID |
sk116655 |
Technical Level |
|
Product |
IPSec VPN |
Version |
R77 (EOL), R77.10 (EOL), R77.20, R77.30 (EOL) |
Platform / Model |
All |
Date Created |
02-Apr-2017
|
Last Modified |
09-Apr-2017
|
Symptoms
When connected with L2TP client to the Security Gateway's alias IP address, the returned encrypted traffic is sent out with the source IP address of the physical interface.
Logical Topology: [PC with L2TP client] --- (VPN) --- {ethX with alias IP}[GW]{ethY} --- [Host]
FW Monitor on Security Gateway shows:
ethX:i[...]: PC_real_IP -> GW_alias_IP (50)
ethX:I[...]: PC_Office_Mode_IP -> Host_IP (...)
ethY:o[...]: PC_Office_Mode_IP -> Host_IP (...)
ethY:O[...]: PC_Office_Mode_IP -> Host_IP (...)
ethY:i[...]: Host_IP -> PC_Office_Mode_IP (...)
ethY:I[...]: Host_IP -> PC_Office_Mode_IP (...)
ethX:o[...]: Host_IP -> PC_Office_Mode_IP (...)
ethX:O[...]: GW_physical_IP -> PC_real_IP (50)
Example Topology:
(Office Mode 172.16.10.4) [PC with L2TP client] (172.30.108.194) <=== (VPN) ===>
--- {alias 172.30.108.17 on eth0:1} (172.30.108.152 on eth0) [Security Gateway] (10.10.80.1 on eth1) ---
--- (10.10.80.2) [Host]
Example Traffic Flow:
- L2TP client 172.30.108.194 connects to Security Gateway's alias IP address 172.30.108.17
- Traffic is passing between the "L2TP client" Office Mode 172.16.10.4 and the "Host" 10.10.80.2
- However, FW Monitor on Security Gateway shows that the returned traffic from the "Host" is encrypted and
sent out with source IP address of the physical interface 172.30.108.152 instead of IP address of the alias interface 172.30.108.17:

When connected with Endpoint Security Client to Security Gateway's alias IP address, the returned encrypted traffic is sent out with source IP address of the alias interface as expected.
Logical Topology: [PC with EP Client] --- (VPN) --- {ethX with alias IP}[GW]{ethY} --- [Host]
FW Monitor on Security Gateway shows:
ethX:i[...]: PC_real_IP -> GW_alias_IP (50)
ethX:I[...]: PC_Office_Mode_IP -> Host_IP (...)
ethY:o[...]: PC_Office_Mode_IP -> Host_IP (...)
ethY:O[...]: PC_Office_Mode_IP -> Host_IP (...)
ethY:i[...]: Host_IP -> PC_Office_Mode_IP (...)
ethY:I[...]: Host_IP -> PC_Office_Mode_IP (...)
ethX:o[...]: Host_IP -> PC_Office_Mode_IP (...)
ethX:O[...]: GW_alias_IP -> PC_real_IP (50)
Example:
Solution
|
Note: To view this solution you need to
Sign In
.
|