Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Route-Based VPN Creation Error #55

Closed
m0canu1 opened this issue Nov 27, 2023 · 7 comments
Closed

Route-Based VPN Creation Error #55

m0canu1 opened this issue Nov 27, 2023 · 7 comments

Comments

@m0canu1
Copy link

m0canu1 commented Nov 27, 2023
edited
Loading

Hi,

I am trying to create a Route-Based VPN Tunnel between two Firewalls but I get this error: "Impossible to store the element XXX".

  • Interfaces on the Engines are created correctly
  • Monitoring Group is created correctly

Is something that I am missing?

Below is the function I created:

def create_rbvpn(fw1, fw2, interface_id, comment):

    engine1 = Engine(str(fw1))
    engine2 = Engine(str(fw2))

    engine1.tunnel_interface.add_cluster_virtual_interface(interface_id = interface_id, comment=comment)
    engine2.tunnel_interface.add_cluster_virtual_interface(interface_id = interface_id, comment=comment)

    TunnelMonitoringGroup.create(name=comment, comment=comment)

    local_endpoint = TunnelEndpoint(gateway_ref=engine1.href, tunnel_interface_ref=engine1.tunnel_interface.get(interface_id).href)
    print(local_endpoint)
    remote_endpoint=TunnelEndpoint(gateway_ref=engine2.href, tunnel_interface_ref=engine2.tunnel_interface.get(interface_id).href)
    print(remote_endpoint)

    RouteVPN.create_ipsec_tunnel(name=comment,
                                 local_endpoint = local_endpoint,
                                 remote_endpoint = remote_endpoint,
                                 monitoring_group=TunnelMonitoringGroup(comment),
                                 vpn_profile=VPNProfile("Suite-B-GCM-256"),
                                 comment=comment)
@MaxPoint67
Copy link

Seems correct unless you miss preshared key, do you have any details on you error? Feel free to contact support if you face a database issue

@m0canu1
Copy link
Author

m0canu1 commented Nov 27, 2023
edited
Loading

``I tried both in production and in a Lab Environment (which has nothing in common with the production one).

I did not include the preshared_key because, if I understood correctly, there is no need to specify it if both Firewalls are managed by the same SMC.

File "c:\path\to\fp-smc\smc_utils.py", line 85, in create_tunnel_interface
    RouteVPN.create_ipsec_tunnel(name=comment,
  File "C:\path\to\fp-smc\venv\Lib\site-packages\smc\vpn\route.py", line 196, in create_ipsec_tunnel
    return versioned_method(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\path\to\fp-smc\venv\Lib\site-packages\smc\vpn\route.py", line 272, in _create_ipsec_tunnel_66
    raise CreateVPNFailed(err)
smc.api.exceptions.CreateVPNFailed: Impossible to store the element (VPN S2S) FIRENZE - MILANO.

@MaxPoint67
Copy link

It can be possible that the problem is with your vpn configuration, you need to check smc traces or try to configure the same on the gui to figure out the configuration error.

@m0canu1
Copy link
Author

m0canu1 commented Nov 29, 2023

I am able to correctly configure che Route-Based VPN using the GUI with the same endpoints.

That's the SMC Trace of the Error:
trace.log

@amol-suruse
Copy link
Collaborator

Please check the example given below and let me know if it works for you. We need to pass preshared_key in RouteVPN.create_ipsec_tunnel.

`def create_rbvpn(fw1, fw2, interface_id, comment):

engine1 = Engine(str(fw1))
engine2 = Engine(str(fw2))
engine1.tunnel_interface.add_cluster_virtual_interface(interface_id = interface_id, comment=comment)
engine2.tunnel_interface.add_cluster_virtual_interface(interface_id = interface_id, comment=comment)
TunnelMonitoringGroup.create(name=comment, comment=comment)
local_endpoint = TunnelEndpoint.create_ipsec_endpoint(
    engine1.vpn.internal_gateway, engine1.tunnel_interface.get(interface_id))
remote_endpoint = TunnelEndpoint.create_ipsec_endpoint(
    engine2.vpn.internal_gateway, engine2.tunnel_interface.get(interface_id))
RouteVPN.create_ipsec_tunnel(name=comment,
                             local_endpoint = local_endpoint,
                             remote_endpoint = remote_endpoint,
                             monitoring_group=TunnelMonitoringGroup(comment),
                             vpn_profile=VPNProfile("Suite-B-GCM-256"),
                             preshared_key=psk,
                             comment=comment)`

@m0canu1
Copy link
Author

m0canu1 commented Dec 6, 2023

Hi,

I tried to create a RBVPN using the Ansible Module and it gave me a more explicit error.

Then I passed a preshared key and it worked without problems.

"Impossible to store the element (VPN S2S) FIRENZE - MILANO. An element is invalid: With Tunnel type VPN and Encryption set to N/A, a Pre-shared Key is mandatory."

As per documentation of both Ansible Module and fp-NGFW-SMC-python there should be no need to pass a preshared-key if both firewalls are under the same SMC since the preshared will be autogenerated.

I think the issue is a mistake in the documentation or a missed implementation of the auto-generation of the preshared.

https://fp-ngfw-smc-ansible.readthedocs.io/en/latest/modules/route_vpn_module.html

@amol-suruse
Copy link
Collaborator

created a ticket to update documentation, which will be fixed in future smc-python and smc-ansible release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@m0canu1 @amol-suruse @MaxPoint67