Hi,
Just had situation on our CP R80.40 firewall cluster, which suddenly stopped encrypting interesting traffic to the most important S2S VPN tunnel (without any change in configuration). 🙄
FW VPN policy rules just were not enforced when packets arrived to fw kernel, with defined source subnets to destination peer subnets as in VPN rule. No IKE packets were sent to PEER side at all, could not find the real reason in IKE.elg and IKEv2.XML debug files in which PEER public IP did not appear at all.
What is more, all other VPN tunnels continued functioning perfectly.
We had an issue with following encryption error - failed to enforce VPN policy (10):
We could not find any SK for this particular failure reson. There is another sk for failed to enforce VPN policy (11) which is not about this problem. We applied kernel parameter from this sk- fw ctl set int encrypt_non_gw_rdp_ike 1 but without help.
15 days back this cluster was upgraded from R80.10 to R80.40 version, and all were functioning as a charm without any problems till today.
I knew that this has something to do with encryption domain for this particular VPN traffic. But do not know how all other vpn tunnels worked which all used local encryption domain defined according to GW/cluster object VPN domain definition (VPN domain common group for all VPN's).
As R80.40 allows defining local encryption domain per VPN tunnel, we made change to only this tunnel and immediatelly tunnel went back in UP and RUNNING state.
Kindly ask You for information is there a better wayt to deal with this kind of situations, to find the real reason why traffic is not encrypting and is going in clear instead, when at the same time in VPN debug can not find wanted VPN logs, because traffic were not encrypted at all? Is there any SK which can help us for this error failed to enforce VPN policy (10)?
Regards,
Milos