topic Re: Remote VPN access to network behind 3rd party Gateway in Firewall and Security Management

Remote VPN access to network behind 3rd party Gateway

Ricardo_Gros — Fri, 14 Dec 2018 13:39:32 GMT

Hi,

I have come upon this issue where a customer is trying to access a Network scope behind a tunnel that is terminating on a 3rd party device.

So the topology is the following

Client VPN client with remote office IP 10.1.1.2 want´s to reach Server Behind Tunnel Terminating on 3rd party firewall with IP 192.168.2.2

Checkpoint has route for 192.168.2.0/24 -> 3rd party device

3rd Party device has route to 10.1.1.0/24 -> checkpoint

Network 192.168.2.0/24 is part of Enc Domain of Checkpoint for Remote VPN

Problem is when the client tries to reach network packet is forwarded to server, return packet however is blocked by checkpoint with following error:

Dropped by vpn_verify, reason : Clear packet on encrypted connection;

I don´t understand the drop because the packet should be Clear text and only be encrypted by the checkpoint and decrypted by the client, I don´t see the difference between this and any other network access, I wondering if It has to do with the Topology since this network is not directly connected, however there is a route so it should be "known" in terms of topology.

After this I tried adding the Remote Office Pool to the Enc. Domain of the Gateway, however this simply changed the error output to:

No Decryption Message

I think the second error is because now the Gateway thinks it needs to Decrypt and it´s clear text or something..

Re: Remote VPN access to network behind 3rd party Gateway

PhoneBoy — Fri, 14 Dec 2018 14:30:44 GMT

A visual network diagram would be helpful.

Re: Remote VPN access to network behind 3rd party Gateway

Ricardo_Gros — Fri, 14 Dec 2018 14:55:28 GMT

Traffic is initiated on Remote VPN side:

I can see in FW monitor the traffic being send to destination network and I can also see on 3rd party the traffic being send to server.

The return traffic hits the 3rd party device and get´s blocked on checkpoint side with described errors.

Re: Remote VPN access to network behind 3rd party Gateway

PhoneBoy — Fri, 14 Dec 2018 16:31:35 GMT

Sounds like the remote end is not encrypting the reply traffic for some reason.

Can you confirm it is received cleartext on the Check Point?

Re: Remote VPN access to network behind 3rd party Gateway

Ricardo_Gros — Fri, 14 Dec 2018 16:36:20 GMT

It should not encrypt the reply, the reply is decrypted on 3rd party firewall correctly, send as clear text to Checkpoint and should then be encrypted to be sent to the Remote VPN tunnel.

The original packet is Encrypted on Client Side, decrypted on Checkpoint side and send as Clear text to 3rd party device, then encrypted and send to server (server sits behind some other device this I don´t know).

There is a tunnel Between 3rd Party and some other gateway and destination network is behind this.

So the traffic flow between Checkpoint and 3rd party is always unencrypted.

Re: Remote VPN access to network behind 3rd party Gateway

PhoneBoy — Fri, 14 Dec 2018 18:50:47 GMT

Have you done any of the steps in this SK?

Troubleshooting "Clear text packet should be encrypted" error in ClusterXL

Re: Remote VPN access to network behind 3rd party Gateway

Ricardo_Gros — Mon, 17 Dec 2018 08:04:16 GMT

Hi,

Do you have any specific section in mind by referring this?

Re: Remote VPN access to network behind 3rd party Gateway

PhoneBoy — Mon, 17 Dec 2018 14:02:00 GMT

Yeah, now that I look at it a bit more closely, probably not

Do you have a TAC case on this?

Re: Remote VPN access to network behind 3rd party Gateway

Shahar_Grober — Fri, 15 Feb 2019 06:46:54 GMT

Hi Ricardo,

do you know if this scenario is supported or working,

I need to do something similar but I am not sure it is supported.

I want to know if you approached TAC before I start to configure and test it