https://community.checkpoint.com/t5/General-Topics/Loosing-SMS-to-FW-connectivity-after-applied-IPsec-VPN/m-p/102747#M19834 <P>Management traffic does NOT go through the VPN by design.<BR />That said, there must be a static NAT to the management server that the remote gateways can reach.<BR />Refer to:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100583&amp;partition=Advanced&amp;product=Security" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100583&amp;partition=Advanced&amp;product=Security</A>&nbsp;</P> Fri, 20 Nov 2020 03:54:10 GMT PhoneBoy 2020-11-20T03:54:10Z https://community.checkpoint.com/t5/General-Topics/Loosing-SMS-to-FW-connectivity-after-applied-IPsec-VPN/m-p/102404#M19810 <P>Hello All,</P><P>I am quite new on Checkpoint VPN blade that's why sorry for stupid question !</P><P>Basically I am trying to establish IPsec VPN(mesh community) tunnels between HQ and branch sites as below diagram.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture111.JPG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/9034iCB26F1DC04740C30/image-size/large?v=v2&amp;px=999" role="button" title="Capture111.JPG" alt="Capture111.JPG" /></span></P><P>However once I apply IPsec configuration, I lost SMS and FW connectivity. I suspect somehow SMS traffic goes into VPN tunnel that's why I lost connectivity between SMS and FW. See below Dubai-FW is disconnected after I push policy.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture123.JPG" style="width: 982px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/9037i17F55D6EFE2F3893/image-size/large?v=v2&amp;px=999" role="button" title="Capture123.JPG" alt="Capture123.JPG" /></span></P><P>&nbsp;</P><P>- Even though Dubai-FW is disconnected from SMS, Clients start to ping remote site that means IPSec VPN config successfull</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="client11.JPG" style="width: 589px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/9036iE1E5EC1AC4B319C8/image-size/large?v=v2&amp;px=999" role="button" title="client11.JPG" alt="client11.JPG" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="VPN_up.JPG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/9042iC4918C11A63492A0/image-size/large?v=v2&amp;px=999" role="button" title="VPN_up.JPG" alt="VPN_up.JPG" /></span></P><P><BR />In HQ-FW, I have only defined HQ-LAN-NET [10.1.0.0/24] network.(not added MGMT 192.168.1.0/24)<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="HQ-1.JPG" style="width: 624px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/9035iDB31BA1DD14C1F46/image-size/large?v=v2&amp;px=999" role="button" title="HQ-1.JPG" alt="HQ-1.JPG" /></span><BR /><BR /><BR /><BR /><BR /></P><P>- I have also defined VPN access policies on both Branch and HQ(rule 3 and 4)</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="HQ_123.JPG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/9038i503F259C171B7628/image-size/large?v=v2&amp;px=999" role="button" title="HQ_123.JPG" alt="HQ_123.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>-Defined NAT policy between branch and HQs( rule 1 and 2) [Not performing NAT between HQ and Branch Networks but SMS]</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="HQ_NAT.JPG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/9039iE5A1C167F9DD765E/image-size/large?v=v2&amp;px=999" role="button" title="HQ_NAT.JPG" alt="HQ_NAT.JPG" /></span></P><P>&nbsp;</P><P>- I see from Logs that the traffic between Clients are encrypted and decrypted as below</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vpn_encrypt.JPG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/9040iE45A9714CF98C0EF/image-size/large?v=v2&amp;px=999" role="button" title="vpn_encrypt.JPG" alt="vpn_encrypt.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>- I check VPN blade logs and realized that many drops here below you can see one of them's detail. It specifies "<STRONG>Clear text packet should be encrypted</STRONG>"<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="logg.JPG" style="width: 650px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/9041i3CDAEDB7607074D9/image-size/large?v=v2&amp;px=999" role="button" title="logg.JPG" alt="logg.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>From my perspective the SMS traffic goes into VPN tunnel even though I have excluded 192.168.1.0/24 network from VPN domain in HQ-FW. But don't understand the reason why.<BR /><BR />Is anyone help me what couldn't I figure out in this&nbsp; set up ?<BR /><BR />I would be appreciated if you have a look.<BR /><BR />Thanks in Advance,<BR /><BR /></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 18 Nov 2020 00:47:57 GMT https://community.checkpoint.com/t5/General-Topics/Loosing-SMS-to-FW-connectivity-after-applied-IPsec-VPN/m-p/102404#M19810 mely 2020-11-18T00:47:57Z https://community.checkpoint.com/t5/General-Topics/Loosing-SMS-to-FW-connectivity-after-applied-IPsec-VPN/m-p/102747#M19834 <P>Management traffic does NOT go through the VPN by design.<BR />That said, there must be a static NAT to the management server that the remote gateways can reach.<BR />Refer to:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100583&amp;partition=Advanced&amp;product=Security" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100583&amp;partition=Advanced&amp;product=Security</A>&nbsp;</P> Fri, 20 Nov 2020 03:54:10 GMT https://community.checkpoint.com/t5/General-Topics/Loosing-SMS-to-FW-connectivity-after-applied-IPsec-VPN/m-p/102747#M19834 PhoneBoy 2020-11-20T03:54:10Z