WSL2 in mirrored mode not reaching VPN resources provided with Check Point Endpoint Security client

Question

I'm using Check Point Endpoint Security client to connect to a VPN and have access to its resources, but it's not possible to reach resources (with ping) from WSL2 with "mirrored" networking mode, although it works from Windows.

I've checked access to an existent VPN resource IP with ping from both Windows and WSL2 in NAT mode, and it works.

When I try with "mirrored" networking mode (I need this mode to work for other reasons that don't matter here), ping command fails to reach the VPN resource IP:

$ ping 198.18.0.9
PING 198.18.0.9 (198.18.0.9) 56(84) bytes of data.
^C
--- 198.18.0.9 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4145ms

I've checked networking routes in WSL2 and it seems to be right (the route for reaching 198.18.0.9 is identical to an existent route in Windows, eth1 is my Internet-WiFi adapter and eth2 is Check Point adapter). These are my relevant routes in WSL2:

$ ip route show
default via 192.168.1.1 dev eth1 proto kernel metric 40
...
172.25.1.0/24 dev eth2 proto kernel scope link metric 256
172.25.1.247 dev eth2 proto kernel scope link metric 1
198.18.0.0/24 via 172.25.1.247 dev eth2 proto kernel metric 1

And these are my relevant routes in Windows:

> route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1    192.168.1.135     40
...
       172.25.1.0    255.255.255.0         On-link      172.25.1.131    256
     172.25.1.248  255.255.255.255         On-link      172.25.1.248    256
     172.25.1.255  255.255.255.255         On-link      172.25.1.248    256
       198.18.0.0    255.255.255.0     172.25.1.247     172.25.1.248      1

I've tried traceroute and it seems not to get response from Check Point network interface:

$ traceroute 198.18.0.9
traceroute to 198.18.0.9 (198.18.0.9), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
...
30  * * *

I've also checked windows defender firewall and I've got an outbound rule allowing outgoing traffic from WSL2 and an inbound rule allowing all ingoing traffic to Check Point client.

I've also updated to latest WSL2 version (I've even tried brand new pre-relesae 2.2.3), but ping don't work either.

Finally I also include a summary of relevant information of both Windows ipconfig and WSL2 ip a. I include information for 3 network interfaces:

WiFi/internet connection, working on both Windows and WSL2.
Big-IP Edge VPN Client (_Common_NIAE-VPN_NetworkAccess or eth2), working on both Windows and WSL2.
Check Point Virtual Network Adapter For Endpoint VPN Client, working only on Windows (ping 198.18.0.9 not working on WSL2).

> ipconfig.exe /all
...
Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Check Point Virtual Network Adapter For Endpoint VPN Client
   Physical Address. . . . . . . . . : xxxxxxxx
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : xxxxxxxx(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.25.1.248(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : martes, 23 de abril de 2024 11:23:45
   Lease Expires . . . . . . . . . . : viernes, 30 de mayo de 2160 18:48:18
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 172.25.1.247
   DHCPv6 IAID . . . . . . . . . . . : xxxxxxxx
   DHCPv6 Client DUID. . . . . . . . : xxxxxxxx
   NetBIOS over Tcpip. . . . . . . . : Enabled

PPP adapter _Common_NIAE-VPN_NetworkAccess - xxxxxxxx:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : _Common_NIAE-VPN_NetworkAccess - xxxxxxxx
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.157.227.51(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 10.235.85.31
                                       10.201.68.11
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . : Home
   Description . . . . . . . . . . . : RZ616 Wi-Fi 6E 160MHz
   Physical Address. . . . . . . . . : xxxxxxxx
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : xxxxxxxx(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.135(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : martes, 23 de abril de 2024 8:08:53
   Lease Expires . . . . . . . . . . : miércoles, 24 de abril de 2024 8:08:51
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : xxxxxxxx
   DHCPv6 Client DUID. . . . . . . . : xxxxxxxx
   DNS Servers . . . . . . . . . . . : 212.230.135.2
                                       212.230.135.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

$ ip a
...
3: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1350 qdisc mq state UP group default qlen 1000
    link/ether xxxxxxxx
    inet 172.25.1.248/24 brd 172.25.1.255 scope global noprefixroute eth2
       valid_lft forever preferred_lft forever
    inet6 xxxxxxxx/64 scope link nodad noprefixroute
       valid_lft forever preferred_lft forever
...
5: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether bc:f4:d4:d3:88:89 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.135/24 brd 192.168.1.255 scope global noprefixroute eth2
       valid_lft forever preferred_lft forever
    inet6 xxxxxxxx/64 scope link nodad noprefixroute
       valid_lft forever preferred_lft forever
7: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1396 qdisc mq state UP group default qlen 1000
    link/ether xxxxxxxx
    inet 10.157.227.51/32 brd 10.157.227.51 scope global noprefixroute eth3
       valid_lft forever preferred_lft forever

Your IPs are hard to understand as they are for disjoint segments: 192.168.* and 198.18.*. Please add the output of Windows ipconfig and WSL2 ifconfig to your post. — harrymc, Commented Apr 21 at 17:40
I guess you mean my routing rules. I only pasted my default rule (default via 192.168.1.1 dev eth1 proto kernel metric 40) which means that all traffic is by default sent to my router gateway 192.168.1.1 on eth1, and the relevant rule (198.18.0.0/24 via 172.25.1.247 dev eth2 proto kernel metric 1) for the resource I'm trying to reach (198.18.0.9) located in my CheckPoint VPN and accessible via eth2 (unfortunately only from Windows and not from WSL2). — Takeshi Gitano, Commented Apr 22 at 17:30
I prefer not to add my Windows ipconfig and WSL2 ip a, since I already double-checked that eth2 is the name of the network adapter for CheckPoint VPN in WSL2. — Takeshi Gitano, Commented Apr 22 at 17:33
Please add all the information from the comments into your post. This is very hard to read. — harrymc, Commented Apr 23 at 9:53

Stack Exchange Network

WSL2 in mirrored mode not reaching VPN resources provided with Check Point Endpoint Security client

0

You must log in to answer this question.

Browse other questions tagged
networking
vpn
wsl2
mirroring
checkpoint-endpoint
.

Hot Network Questions

WSL2 in mirrored mode not reaching VPN resources provided with Check Point Endpoint Security client

0

You must log in to answer this question.

Browse other questions tagged networkingvpnwsl2mirroringcheckpoint-endpoint.

Related

Hot Network Questions

Browse other questions tagged
networking
vpn
wsl2
mirroring
checkpoint-endpoint
.