topic Internet Traffic from VPN being blocked in Firewall and Security Management

Internet Traffic from VPN being blocked

Fabian_Maldonad — Wed, 24 Mar 2021 13:28:30 GMT

Hello forum!

Hoping to get some fresh eyes on an issue im am dealing with currently.

I have a firewall in Azure connected back to us (HQ) over ipsec VPN. Virtual machines can communicate with HQ with no issues, however, they cannot get to the internet. I see in the logs the traffic is being dropped by my FW. Here is the exact error i am receiving:

Id: c0a801c9-1611-7109-605b-3a433ba90001
Marker: @A@@B@1616558409@C@2612367
Log Server Origin: x.x.x.x
Time: 2021-03-24T13:10:27Z
Interface Direction: inbound
Interface Name: eth1-02
Id Generated By Indexer:false
First: true
Sequencenum: 179
Log ID: 404821
Source: 10.0.100.5
Source Port: 50529
Destination: 20.60.132.4
Destination Port: 443
IP Protocol: 6
Scheme: IKE
Methods: ESP: AES-128 + SHA1 + PFS (group 14)
VPN Peer Gateway: x.x.x.x
Encryption Failure: According to the policy the packet should not have been decrypted
VPN Feature: VPN
Action: Drop
Type: Connection
Policy Name: HB-Custom-Policy
Policy Management: cpman
Db Tag: {3138C08A-7834-2645-8B4F-36751CECDF37}
Policy Date: 2021-03-18T19:00:14Z
Blade: VPN
Origin: HBFW1
Service: TCP/443
Product Family: Access
Logid: 1
File Size: 0
Interface: eth1-02
Description:

The 10.0.100.5 is the VM that is trying to access windows updates 20.60.132.4 in the log details above.

I have the subnet 10.0.100.0 in the route table pointing to our gateway
I have a network object for 10.0.100.0/23 in the internet allowed out policy
I can ping from 10.0.100.5 our GW

Any direction here would be much appreciated.

Re: Internet Traffic from VPN being blocked

KennyManrique — Thu, 25 Mar 2021 17:04:24 GMT

Hi Fabian.

Which routing configuration you're using for the VPN Community?

The message According to the policy the packet should not have been decrypted indicates that the source machines are trying to reach an encryption domain that is not exchanged by the two gateways. You should configure routing in the community or manually add 20.60.132.4 to your encryption domain exchanged between both devices.

Re: Internet Traffic from VPN being blocked

Vladimir — Thu, 25 Mar 2021 21:28:59 GMT

First, test connectivity from Azure CP GW to the Internet (ping www.yahoo.com or curl_cli -k https://www.google.com)

Then check if you are preventing NAT between your Azure hosts and on-premises.

THen check if you are NATing your hosts to "Hide behind Gateway's IP" on their way to the Internet and enable that if it is not done yet.

Re: Internet Traffic from VPN being blocked

the_rock — Thu, 25 Mar 2021 23:30:23 GMT

Vladimir is correct...that type of error may indicate nat issues, but it also could be related to vpn domain as well. Could you do ike debug when trying this, as that would show you exactly where its failing, phase 1 or 2 and what packet exactly.

Andy