This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ihenock1011
Collaborator
7 hours ago

IPSec Tunnel UP but encryption domains unable to communicate(UDP encapsulation NATT)

Hi All

We have a checkpoint GW r81.10, where we have created multiple S2S IPSec VPN with other clients, but specifically, with 1 client(StronSwan) , we are having communication problems the tunnel shows UP however the endpoints are unable to communicate one thing I observed different from the other 3rd parties tunnels is under the SmartView the tunnel detail shows monitor UDP encapsulation NATT.

I'm unsure if this is causing the issue. Could you please help?

Thanks,

0 Kudos
5 Replies
the_rock
Legend
Legend
3 hours ago

Hey bro,

So, lets start with whats logical here...so, if tunnel is UP, that 100% means phase 1 and 2 settings are good, no issues there. Now, if traffic is not working, its possible that something with vpn enc. domains might not be matching.

Some questions:

-is it domain or route based?

-sta or meshed community?

-if star, how is routing configured within the community?

-any NAT used?

Andy

0 Kudos
Ihenock1011
Collaborator
2 hours ago
In response to the_rock

Hey Andy

-is it domain or route based?

It is Route based

-sta or meshed community?

Meshed Community

-any NAT used?

The pure IP goes through the tunnel there is no NAT from my end.

 

 

0 Kudos
the_rock
Legend
Legend
2 hours ago
In response to Ihenock1011

K, so if its meshed, then no option to set any routing, which is fine, since every "entity" talks to one another, if you will. So, do you have super basic diagram of maybe example of an IP thats fialing? Just scramble something on a piece of paper and take a picture and upload it, not an issue, just blur out any sensitive data.

Did you try ip r g command with an IP address in question to make sure it uses correct route? example ip r g 8.8.8.8

What about simple zdebug and also basic vpn debug?

vpn debug trunc

vpn debug ikeon

-generate some traffic for 1 minute (ping)

vpn debug ikeoff

fw ctl debug 0 (to turn off debugs)

Look for vpnd* and ike* files in $FWDIR/log dir

Best,

Andy

0 Kudos
Ihenock1011
Collaborator
an hour ago
In response to the_rock

Andy, does this debug commands create some issue because it is a production environment if the debug command needs maintenance window kindly please let me know.

0 Kudos
the_rock
Legend
Legend
an hour ago
In response to Ihenock1011

I had done it probably more than 100 times, never had an issue. Those are super light and I know people sometimes leave them on for 2 weeks and its fine. If you want to be super careful and do it after hours, thats your choice, but personally, I never had any issues, even in production.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events