5 Replies Latest reply on Oct 23, 2015 11:18 AM by thyvarin

    VPN and Tracert

    hgaryblack

      Good day,

       

      We have a Site to Site VPN. Everything works fine with it. However if we try to do a traceroute for traffic that traverses the VPN, we get a "Request timed out" for each of the VPN end point hops.

       

      Cannot see any relevant traffic getting dropped in the logs. Have tried various IPv4 Access rules to allow the traffic, but just cannot get the gateways to respond.

       

      Wondering if the Aliases "Allowed ICMP Local Sources" and "Allowed ICMP Remote Sources" might be the key, but have not found much info on these.

       

      Any ideas how I configure this functionality?

       


      Thanks

      HGB

        • 1. Re: VPN and Tracert
          thyvarin

          Hi,

           

          Here's is NGFW FAQ KB article that talks also about how to allow traceroute through:

          McAfee KnowledgeBase - FAQs for Next Generation Firewall 5.x

           

          BR,

          Tero

          • 2. Re: VPN and Tracert
            hgaryblack

            I put in a rule

             

            Local Network to ANY service ICMP

             

            with the reverse rule

             

            ANY to Local Network, service ICMP

             

            So I was allowing ALL ICMP. Still doesn't work. Gateways still give "Request timed out".

             

            I get responses from hops prior to and after the VPN.

             

            Thanks,

            HGB

            • 3. Re: VPN and Tracert
              lnurmi

              Hi,

               

              I tested and I don't see any way to get an ICMP TTL Exceeded response from the first gateway that puts the tracert into the VPN. This is because the TTL is not decremented until the rule matching is done, and the rules put the ICMP Echos into the VPN i.e. they go to the VPN daemon which will not return any ICMP errors.

               

              You can get a response from the next gateway if you create a rule in its policy like:

               

              src: external interface IPs (NDIs if it's a cluster, if there's several vpn endpoints include all those interface IPs/NDIs)

              dst: remote VPN site (where tracert is started from)

              service: ICMP TTL Exceeded

              action: Enforce VPN

               

              and in addition put the source IPs from above rule into the gateway's local VPN site.

               

              BR,

              Lauri

              • 4. Re: VPN and Tracert
                hgaryblack

                Hey Inurmi / Lauri,

                 

                Can you elaborate on some of your answer?

                 

                • How do I get specific Engine interfaces/IPs in a rule? Searching for them returns the Engine.
                • How do I get a Site in a rule. Are we just talking about the Network defined under the Site?

                 

                Thanks,

                GB

                • 5. Re: VPN and Tracert
                  thyvarin
                  • How do I get specific Engine interfaces/IPs in a rule? Searching for them returns the Engine.

                  ==> You can create host element for the specific FW interface IP address. Address alias elements also have "$$Local Cluster(NDI addresses only)" alias but it will match NDI addresses of all the FW interfaces.

                   

                  • How do I get a Site in a rule. Are we just talking about the Network defined under the Site?

                  ==> Yes, sites are the networks (or address ranges or hosts) that you define for VPN gateway that define what traffic can use the VPN, i.e. VPN traffic selectors.

                  McAfee Next Generation Firewall 5.9.1

                   

                  BR,

                  Tero