topic Re: One way traffic is dropping in Site to Site VPN with DAIP gateway in General Topics

One way traffic is dropping in Site to Site VPN with DAIP gateway

Pavan_Kumar — Mon, 18 Mar 2024 06:40:31 GMT

I have configured site to site VPN between Checkpoint(R81.20 JHF T41) and Strongswan in Ubuntu(DAIP gateway).

Assume Host-A is behind Checkpoint and Host-B is behind Strongswan in Ubuntu.
One way traffic is dropping in Site to Site VPN with DAIP gateway

I have configured site to site VPN between Checkpoint(R81.20 JHF T41) and Strongswan in Ubuntu(DAIP gateway).

Assume Host-A is behind Checkpoint and Host-B is behind Strongswan in Ubuntu.

VPN tunnel is up and traffic initiated from Host-B to Host-A is working, But traffic initiated from Host-A to Host-B is not working.

Smartlog shows traffic is accepted and encrypted in community, But when checked on zdebug it is getting dropped with below error.

zdebug when pinging from Host-A to Host-B:

zdebug when initiating telnet from Host-A to Host-B on port 443:

CP VPN status:

Strongswan VPN status:

My understating as per the logs, Checkpoint instead of sending traffic on existing tunnel, It is trying to create new tunnel for the encryption domain and failing in process as the peer is dynamic in interoperable object.

Please help me to fix this issue.

regards,

Re: One way traffic is dropping in Site to Site VPN with DAIP gateway

G_W_Albrecht — Mon, 18 Mar 2024 08:44:30 GMT

I would contact CP TAC to get this resolved asap!

Re: One way traffic is dropping in Site to Site VPN with DAIP gateway

PhoneBoy — Mon, 18 Mar 2024 16:51:33 GMT

StrongSWAN is treated as a Remote Access Client, to the best of my knowledge.
Which means: make sure this is enabled:

Otherwise, I suggest a TAC case: https://help.checkpoint.com

Re: One way traffic is dropping in Site to Site VPN with DAIP gateway

Pavan_Kumar — Tue, 19 Mar 2024 18:55:30 GMT

Hi.. The issue is resolved. Sharing my findings and fix, thought it might help community members.

In my configuration, local encryption domain is 172.28.1.10/32(Specific vpn domain for the community) and remote encryption domain is 10.203.144.0/30.
As my local encryption domain is single host, I created a group and added Host Object 172.28.1.10/32, and called the group on specific vpn domain for the community

As per vpn debug, when host behind the checkpoint initiates traffic it is not considering the Host Object used on specific vpn domain on the community, Instead checkpoint is considering Network Object(which the IP 172.28.1.10 belongs) from the default vpn domain, and trying to negotiate new phase-2(local 172.28.1.0/24 in my case and remote 10.203.144.0/30). As the peer end phase-2 configured with only /32, the new phase-2 negotiation is failing. Due to this traffic initiated from host behind checkpoint is not working.

Assuming checkpoint doesn't consider host object on encryption domain, I created Network Object 172.28.1.10/32 and replaced it with host object on the group. Post that issue resolved.

regards,