User access via IPSEC fails after Cloud SWG maintenance completes
Article ID: 265729
Updated On:
Products
Issue/Introduction
Users accessing internet sites via Cloud SWG with IPSEC access method.
PAC file pushed out to all users proxying traffic to proxy.threatpulse.com:8080.
On the morning of May 10, no users could access internet sites going through GGBLO1 (maintenance carried out the previous night).
Cloud SWG Portal reported the IPSEC tunnel as down.
Environment
- IPSEC Access method.
- Checkpoint R81.10 release.
- IKEv1 Protocol.
- DCQ-based authentication based on client IP address.
Cause
Explicit traffic over IPSEC must point to ep.threatpulse.com:80 (or 199.19.250.205:80) and not proxy.threatpulse.com as per the documentation.
Also changed the Checkpoint configuration to address a peering IP address issue per their KB article.
Resolution
Always send explicitly proxies traffic over an IPSEC tunnel to the ep.threatpulse.com:80 endpoint.
With Checkpoint firewalls, make sure that the peer IP address sent over to Cloud SWG matches that configured in the Cloud SWG IPSEC location IP address field using the following setup:
Additional Information
The checkpoint firewall was sending an invalid IP address as it had the following setting enabled for peer IP address selection, which took the IP address from the Generic Properties section and NOT the egress IP address Cloud SWG saw the connections come in from.
Feedback
