This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pavan_Kumar
Contributor
‎2024-03-17 11:40 PM
Jump to solution

One way traffic is dropping in Site to Site VPN with DAIP gateway

I have configured site to site VPN between Checkpoint(R81.20 JHF T41) and Strongswan in Ubuntu(DAIP gateway).

Assume Host-A is behind Checkpoint and Host-B is behind Strongswan in Ubuntu.
One way traffic is dropping in Site to Site VPN with DAIP gateway

I have configured site to site VPN between Checkpoint(R81.20 JHF T41) and Strongswan in Ubuntu(DAIP gateway).

Assume Host-A is behind Checkpoint and Host-B is behind Strongswan in Ubuntu.

VPN tunnel is up and traffic initiated from Host-B to Host-A is working, But traffic initiated from Host-A to Host-B is not working.

Smartlog shows traffic is accepted and encrypted in community, But when checked on zdebug it is getting dropped with below error.

 

zdebug when pinging from Host-A to Host-B:

ping.JPG

zdebug when initiating telnet from Host-A to Host-B on port 443:

telnet.JPG

CP VPN status:

cp vpn.JPG

Strongswan VPN status:

strongswan vpn.JPG

My understating as per the logs, Checkpoint instead of sending traffic on existing tunnel, It is trying to create new tunnel for the encryption domain and failing in process as the peer is dynamic in interoperable object.

 

Please help me to fix this issue.

 

regards,

PK

0 Kudos
1 Solution

Accepted Solutions
Pavan_Kumar
Contributor
‎2024-03-19 11:55 AM
In response to PhoneBoy
Jump to solution

Hi.. The issue is resolved. Sharing my findings and fix, thought it might help community members.

In my configuration, local encryption domain is 172.28.1.10/32(Specific vpn domain for the community) and remote encryption domain is 10.203.144.0/30.
As my local encryption domain is single host, I created a group and added Host Object 172.28.1.10/32, and called the group on specific vpn domain for the community

As per vpn debug, when host behind the checkpoint initiates traffic it is not considering the Host Object used on specific vpn domain on the community, Instead checkpoint is considering Network Object(which the IP 172.28.1.10 belongs) from the default vpn domain, and trying to negotiate new phase-2(local 172.28.1.0/24 in my case and remote 10.203.144.0/30). As the peer end phase-2 configured with only /32, the new phase-2 negotiation is failing. Due to this traffic initiated from host behind checkpoint is not working.

Assuming checkpoint doesn't consider host object on encryption domain, I created Network Object 172.28.1.10/32 and replaced it with host object on the group. Post that issue resolved.

 

regards,

PK

View solution in original post

0 Kudos
3 Replies
G_W_Albrecht
Legend Legend
Legend
‎2024-03-18 01:44 AM
Jump to solution

I would contact CP TAC to get this resolved asap!

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2024-03-18 09:51 AM
Jump to solution

StrongSWAN is treated as a Remote Access Client, to the best of my knowledge.
Which means: make sure this is enabled:

image.png

Otherwise, I suggest a TAC case: https://help.checkpoint.com 

0 Kudos
Pavan_Kumar
Contributor
‎2024-03-19 11:55 AM
In response to PhoneBoy
Jump to solution

Hi.. The issue is resolved. Sharing my findings and fix, thought it might help community members.

In my configuration, local encryption domain is 172.28.1.10/32(Specific vpn domain for the community) and remote encryption domain is 10.203.144.0/30.
As my local encryption domain is single host, I created a group and added Host Object 172.28.1.10/32, and called the group on specific vpn domain for the community

As per vpn debug, when host behind the checkpoint initiates traffic it is not considering the Host Object used on specific vpn domain on the community, Instead checkpoint is considering Network Object(which the IP 172.28.1.10 belongs) from the default vpn domain, and trying to negotiate new phase-2(local 172.28.1.0/24 in my case and remote 10.203.144.0/30). As the peer end phase-2 configured with only /32, the new phase-2 negotiation is failing. Due to this traffic initiated from host behind checkpoint is not working.

Assuming checkpoint doesn't consider host object on encryption domain, I created Network Object 172.28.1.10/32 and replaced it with host object on the group. Post that issue resolved.

 

regards,

PK

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events