topic Re: VPN Established but incoming traffic is rejected in Firewall and Security Management

VPN Established but incoming traffic is rejected

Carlos — Tue, 15 Mar 2022 23:43:44 GMT

Hi team,

I have a VPN set up between a CHECKPOINT R80.40 and a CISCO ASA Version 9.16(1)

and I can't have traffic to go from one side to the other successfully as I see traffic being blocked at checkpoints side.

The tunnel is up...
This is what I get on the logs

This is from checkpoint to ASA

This is from the ASA to the checkpoint

Re: VPN Established but incoming traffic is rejected

PhoneBoy — Wed, 16 Mar 2022 04:13:58 GMT

Looks like the remote end isn't encrypting traffic to us.
I'd check the configuration on the ASA side.

Re: VPN Established but incoming traffic is rejected

Carlos — Thu, 17 Mar 2022 12:32:34 GMT

Hi PhoneBoy,

That cannot be the case since I see that the ASA is encrypting traffic but I can't see encrypted replies from the checkpoint.

Please check the attached image which is a print screen on the ASA.
I'm have access to both devices by the way.

Re: VPN Established but incoming traffic is rejected

PhoneBoy — Thu, 17 Mar 2022 13:03:57 GMT

There’s not enough information being shown in the log screenshots you’ve provided.
Please show a full log card for one of the drops.
Also, we’ll need to see what the precise rulebase in question is.

Re: VPN Established but incoming traffic is rejected

Carlos — Thu, 17 Mar 2022 14:53:23 GMT

Hi PhoneBoy,

As you can see on the images the first one is the rule allowing bidirectioanl traffic. The second one is traffic from checkpoint side to ASA. And the third one traffic from ASA to CheckPoint.
I don't know what you mean by: precise rulebase in question is.

As you can

Re: VPN Established but incoming traffic is rejected

RS_Daniel — Thu, 17 Mar 2022 17:45:20 GMT

Hello,

Double click on one of the drop logs (ASA to CheckPoint), go to matching rules tab and check which rule is being applied. According to the screenshots i only can imagine network 192.168.52.0/X is not properly configured on your AUPEC_NET_52 or MINFIN_AUPEC_NET object, the one that is supposed to be the remote encryption domain. Also check drop reason on the log card.

Regards

Re: VPN Established but incoming traffic is rejected

Carlos — Thu, 17 Mar 2022 19:14:54 GMT

Hi RS_Daniel,

Please see the image below.

It does not say which rule dropped it.

Re: VPN Established but incoming traffic is rejected

Timothy_Hall — Thu, 17 Mar 2022 19:33:01 GMT

Spoofing drop, probably caused by defining the entire 192.168.0.0/12 supernet on the topology of your internal interface which is a common mistake. Exclude 192.168.52.0/24 from the topology of your external interface (bond0.10) on the firewall/cluster object and it should start working.

Re: VPN Established but incoming traffic is rejected

Carlos — Thu, 17 Mar 2022 22:32:08 GMT

Hi Timothy,

Is the exclusion done as in the image below? If so, I have done it and it still not working. Sorry for my ignorance as I'm new to checkpoint and this is my first time setting up a VPN tunnel on checkpoint gateway.

Re: VPN Established but incoming traffic is rejected

Timothy_Hall — Fri, 18 Mar 2022 15:37:41 GMT

Appears to be a routing problem as you have "Calculate topology automatically based on routing" set. Uncheck that and properly define External/Internal & the correct topology manually on all your interfaces. This is probably your issue.

Re: VPN Established but incoming traffic is rejected

the_rock — Fri, 18 Mar 2022 15:51:02 GMT

Yes, thats where you would do it. So, just to be sure, what I would do is this...set spoofing to detect on internal interface and also add external IP of the Cisco into option on external interface "dont check packets from", push policy and test.

You can also refer to below links for the reference:

https://community.checkpoint.com/t5/Cloud-Network-Security/Local-interface-address-spoofing/td-p/15099

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk115276

Andy

Re: VPN Established but incoming traffic is rejected

Carlos — Sat, 19 Mar 2022 18:05:33 GMT

Thanks every one it's working now. The issue was the anti-spoofing.

Re: VPN Established but incoming traffic is rejected

the_rock — Sun, 20 Mar 2022 12:54:53 GMT

Glad we could help!