topic VPN is UP, but the VPN traffic is sent in clear although the traffic matches all community criteria in Firewall and Security Management

VPN is UP, but the VPN traffic is sent in clear although the traffic matches all community criteria

MladenAntesevic — Fri, 18 Dec 2020 15:33:14 GMT

Hello all,

I have a strange issue with my S2S VPN between my R80.40 3600 cluster and Cisco ASA device. The tunnels is established and I see encrypted traffic coming from remote end, but the traffic sent in opposite way from the CheckPoint to ASA is sent as a clear text. I am positive that my traffic matches all community criteria.

I am doing Manual hide NAT for outgoing traffic from CheckPoint to ASA. Here are the details about relevant networks:

My office LAN networks are source NATed to 172.21.230.5 (hide NAT)

Remote subnets are 192.168.15.25/32 192.168.15.26/32 an 192.168.1.34/32

When I try ping or telnet to remote end 192.168.15.25, the traffic is going out as unencrypted on my external interface.

[Expert@CP-2:0]# vpn tu tlist

(2) Site-to-Site tunnels are up:
IPSEC 2
NAT-T 0

(0) Clients Are Connected:
NAT-T 0
Visitor Mode 0
SSL 0
L2TP 0

Re: VPN is UP, but the VPN traffic is sent in clear although the traffic matches all community crite

G_W_Albrecht — Fri, 18 Dec 2020 15:51:33 GMT

Looks like it is treated internal traffic on screenshot ! Which rule is matched and how is the encryption domain defined ?

Re: VPN is UP, but the VPN traffic is sent in clear although the traffic matches all community crite

Marcel_Gramalla — Fri, 18 Dec 2020 17:13:51 GMT

If you do a NAT on your internal network for the VPN you have to include the original source in the encryption domain as well.

Re: VPN is UP, but the VPN traffic is sent in clear although the traffic matches all community crite

MladenAntesevic — Sat, 19 Dec 2020 09:20:55 GMT

Thanks guys,

I just have included my original sources in the encryption domain for the VPN and the traffic is now correctly encrypted. Thanks for your help.