topic Re: Encryption Failure Failed to enforce VPN Policy (11) in Firewall and Security Management

Encryption Failure Failed to enforce VPN Policy (11)

chaymosphere — Thu, 14 May 2020 07:42:05 GMT

Hi, I would like to ask if some of you ever encounter this scenario? I already did the sk106241 and based on TAC Engr. it is safe to run without rebooting the firewall. However, one of my segment did not take effect and it still encountering the same problem which is Failure Failed to enforce VPN Policy(11)

If you ever resolved this kind of issue, please advise what steps or procedures you did to solve this problem.

Re: Encryption Failure Failed to enforce VPN Policy (11)

Timothy_Hall — Thu, 14 May 2020 12:53:42 GMT

You seem to have an overlap in VPN domains between two or more of your managed firewalls that you need to fix.

1) What does the command vpn overlap_encdom communities -s show?

2) Try these tools to get a better handle on your VPN domain definitions/routing:

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/One-liner-to-show-VPN-topology-on-gateways/m-p/57975

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/Show-VPN-Routing-on-CLI/m-p/40216

Re: Encryption Failure Failed to enforce VPN Policy (11)

chaymosphere — Fri, 15 May 2020 10:19:27 GMT

Thanks, I will update you once it works on the client's end

Re: Encryption Failure Failed to enforce VPN Policy (11)

chaymosphere — Tue, 26 May 2020 04:08:50 GMT

I would like to ask if this command "vpn overlap_encdom communities –s" is safe to run during the production?

Re: Encryption Failure Failed to enforce VPN Policy (11)

Timothy_Hall — Tue, 26 May 2020 12:48:03 GMT

Yes, safe to run during production.

Re: Encryption Failure Failed to enforce VPN Policy (11)

CheckPointerXL — Wed, 14 Sep 2022 17:35:25 GMT

Hi All,

i have same error.

The scenario is: VPN route based + PBR

My PBR says: src:Subnet X dst:Subnet Y gw:VTI IP

SK related to PBR says on limitation row that this is supported starting from 80.40

Any suggestion?

Re: Encryption Failure Failed to enforce VPN Policy (11)

amarchi — Tue, 09 Jul 2024 08:11:08 GMT

Hello,

With our customer we encounter same issue.
An SSL vpn was active and they were trying to replace it with IPSEC vpn to reinforce security.
Both had to work at the same time, but IKE packet for IPSEC were reject because the Checkpoint was not the destination of IKE packet and it doesn't knew that it should be encrypt in VPN Community.

By following this SK : https://support.checkpoint.com/results/sk/sk106241

Solution:

In R76 and above, a kernel parameter was added to allow this traffic to be decrypted if the gateway is not the destination. It is not enabled by default.
The command to enable it is:

To run on the fly:
[Expert@SGW]# fw ctl set int encrypt_non_gw_rdp_ike 1
To permanently enable it, refer to sk26202.

After running this command the IKE packet has been encrypted into the community and the IKE packet was not drop anymore

Hope its clear and it will help some of you,

Best regards.