Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

Dropping VPN package

Hi

I have configured a VPN tunnel between a 1430 and my central checkpoint Firewall (R80.10).

The VPN tunnel is connected but the test packed towards 8.8.8.8 is blocked.

In the fw monitor i get the following

[vs_0][fw_0] eth1:i[68]: 172.16.50.50 -> 8.8.8.8 (UDP) len=68 id=21028
UDP: 58832 -> 53
[vs_0][fw_0] eth1:i[68]: 172.16.50.50 -> 8.8.8.8 (UDP) len=68 id=21029
UDP: 58832 -> 53
[vs_0][fw_0] eth1:i[65]: 172.16.50.50 -> 8.8.8.8 (UDP) len=65 id=21030
UDP: 42110 -> 53
[vs_0][fw_1] eth1:i[68]: 172.16.50.50 -> 8.8.8.8 (UDP) len=68 id=21031
UDP: 58832 -> 53

What policy is it that I need to make changes to?

The 1430 is configured as a Interoperable Device  with a fixed IP number of the WAN interface my 4G connection, in the topology i am using the same IP on the External network .

0 Kudos
6 Replies
Highlighted
Advisor

0 Kudos
Highlighted
Contributor

I have now this working, I made two changes.

1. On my central FW I changed the VPN Domain to the 172.16.50.X/24 network on the "Interoperable Device"

2. On the 1430 I changed cleared the checkbox for "Disabel NAT for this site" in the VPN settings

.

0 Kudos
Highlighted
Champion
Champion

Why is the 1430 is configured as an Interoperable Device and not as a 1430 ? Do you use local management on it ? That would be rather bad...

0 Kudos
Highlighted
Contributor

At the moment I use local management of the device, during the summer i am going to move to central management.

0 Kudos
Highlighted
Collaborator

You have an encryption domain issue. The R80.10 doesn't know that 8.8.8.8 is part of its encryption domain. Make sure in the vpn community to change the VPN routing option to be  "To center or through center to other satellites, to Internet abd other VPN targets", I'm assuming that you configured the 1430 to route all the traffic in the webui through the R80.10 GW. Make sure you have a Hide NAT rule on the R80.10 GW to hide traffic from behind the 1430 networks to the internet, because the internet should return the traffic to the R80.10 GW.

I noticed in the log the source is 172.16.50.50 after the decryption of the packet is that the external IP of the 1430 are doing Hide NAT behind the 1430 external IP? 

Please Make sure to include the 172.16.50.x and the 192.168.130.x networks in smartconsole for the encryption domain of the 1430 device and try to change it to be Externally managed checkpoint device.

Highlighted
Contributor

That is how it was configuerd on my system, now have it working after making the changes above.

0 Kudos