topic Re: Traffic from Gateway to Internet dropped (clear text packet should be encrypted) in Firewall and Security Management

Traffic from Gateway to Internet dropped (clear text packet should be encrypted)

Mark_Edwards — Thu, 30 Mar 2023 13:07:53 GMT

Hi,

Customer has a VTI VPN between office Check Point and Data Centre Check Point and there is connectivity between the 2 sites.

Internet access is via DC Check Point.

Traffic from office Check Point (e.g. DNS to 8.8.8.8) is dropped on DC Check Point due to "clear text packet should be encrypted".

I can't see why the DC gateway expects this to be encrypted - no overlapping encryption domains, etc.

As expected the tunnel test traffic is encrypted/decrypted between the 2.

Any ideas?

Re: Traffic from Gateway to Internet dropped (clear text packet should be encrypted)

PhoneBoy — Fri, 31 Mar 2023 03:32:14 GMT

We need some more information including:

Version/JHF of gateways
Encryption Domain configuration on both sites

The Office gateway didn't think it needed to encrypt the traffic to the remote gateway.

Re: Traffic from Gateway to Internet dropped (clear text packet should be encrypted)

Mark_Edwards — Fri, 31 Mar 2023 10:24:19 GMT

Office: SMB 1600 R81.10

Main DC: R81.10 JHF take 55

Both gateways have an empty group as the encryption domain as the VPN is route based.

Its correct that the office SMB doesn't encrypt as this traffic is not routed down the VPN.

Re: Traffic from Gateway to Internet dropped (clear text packet should be encrypted)

PhoneBoy — Fri, 31 Mar 2023 22:21:03 GMT

You said in your original post that all traffic from the office site is routed over VPN to the DC site.
That would imply all traffic to the Internet would be routed to the DC site, including DNS lookups.

Because of the empty encryption domain, it seems reasonable for the DC gateway to assume everything that comes from the specific remote gateway SHOULD be encrypted.
Thus, the error message.

A simple network diagram might be helpful to understand where traffic is supposed to be going.

Re: Traffic from Gateway to Internet dropped (clear text packet should be encrypted)

Mark_Edwards — Fri, 14 Apr 2023 10:05:33 GMT

Hi, apologies.

I have attached a simple diagram.

Only traffic between office 192.168.3.0/24 and DC 10.1.1.0/24 is routed over the VTI.

Traffic from office 10.0.0.9 to Internet is dropped by DC 10.0.0.12.

Re: Traffic from Gateway to Internet dropped (clear text packet should be encrypted)

the_rock — Fri, 14 Apr 2023 12:25:24 GMT

Hey @Mark_Edwards ,

I think maybe fw monitor capture would help us here, so we can see if traffic even takes the right path. So lets assume src is 1.1.1.1 and dst is 2.2.2.2 and dst port is 3389, as we dont care about src port, you could do something like below (-o to output to a file)

fw monitor -F "srcip,srcport,dstip,dstport,protocol" -F "srcip,srcport,dstip,dstport,protocol"

fw monitor -F "1.1.1.1,0,2.2.2.2,3389,0" -F "2.2.2.2,0,1.1.1.1,3389,0" -o /var/log/vpncapture.pcap

Once you dump the file in wireshark, you can filter for fw direction -> fw1.direction eq "i"

or whatever inspection point you want to see

Andy

Re: Traffic from Gateway to Internet dropped (clear text packet should be encrypted)

Mark_Edwards — Fri, 26 May 2023 10:44:19 GMT

Hi,

I applied sk25675 (NON_VPN_Traffic rules), added the peer IP and it resolved the issue.

Clear-text connections from the peer to the Internet were allowed.