Re: R80.10: IPsec VPN - allow unencrypted pings be...

Lode_De_Feyter · ‎2019-01-08

Hi all,

This is my very first question on CheckMates. Exciting! 😉

I’m struggling with an IPsec VPN issue.

I’m setting up a very basic VPN between our Check Point gateway (R80.10) in Brussels and one peer gateway in Amsterdam, non-Check Point, managed by a business partner of ours.

I’m configuring that VPN as a “star” VPN community with one “center” gateway (our own) and one “satelite” gateway (the one in Amsterdam).
VPN comes up and is working. So far, so good.

Now, this particular partner in Amsterdam has the requirement to be able to ping from their gateway to ours. That is: unencrypted, straight over internet.

Those pings are blocked by our firewall with the message “Encryption Failure - Clear text packet should be encrypted”

That seems logical, because in the VPN community I created, I read following remark: “All the connections between the Gateways below and the Satellite Gateways will be encrypted.”

Within that same VPN community I have the option to “Exclude Services” from the community, resulting in these services not being encrypted.
When I add “echo-request” and “echo-reply” services in there, the peer gateway indeed is able to ping our gateway.

However, at the same time, pings between endpoint devices, that should be routed and encrypted throught the VPN are no longer working at that moment, and blocked by our gateway with the message: “Encryption Failure - According to the policy the packet should not have been decrypted”

How can I solve this deadlock and allow un-encrypted pings between gateways and, at the same time, allow encrypted pings between endpoints passing through the VPN?

I’m not quickly finding a solution on Google or CP’s KB.

Thanks for your advice!

Kind regards,

Lode

Jerry · ‎2019-01-08

welcome to the club

see this article first:

https://community.checkpoint.com/thread/10807-vpn-exclusions-made-inside-fwdirlibcryptdef-does-not-w...

and then if not helpful search for crypt..def and exclusions you do on Management server.

Cheers

Jerry

Maarten_Sjouw · ‎2019-01-09

Maybe useful to mention this part of the SK:

Scenario 3 - Implied inclusion of Check Point Security Gateway's / 3rd party VPN Peer's interfaces

Regards, Maarten

Jerry · ‎2019-01-08

$FWDIR/lib/crypt.def

sk86582

modify according to the sk's and CCC from Dany

Jerry

Lode_De_Feyter · ‎2019-01-11

Thanks for your replies, Jerry Szpinak‌ and Maarten Sjouw‌
Both were usefull!

I solved it by modifying the $FWDIR/lib/crypt.def file as follows:

Replaced these 3 lines:

#ifndef NON_VPN_TRAFFIC_RULES

#define NON_VPN_TRAFFIC_RULES 0

#endif

With these lines:

FW-MYCOMPANY_BRUS={12.34.56.78};

FW-PARTNER_AMST={87.65.43.21};

#ifndef NON_VPN_TRAFFIC_RULES

#ifndef IPV6_FLAVOR

#define NON_VPN_TRAFFIC_RULES (((src in FW-MYCOMPANY_BRUS) and (dst in FWPARTNER_AMST)) or ((src in FWPARTNER_AMST) and (dst in FW-MYCOMPANY_BRUS)))

#else

#define NON_VPN_TRAFFIC_RULES 0

#endif

I also removed the "echo-request" and "echo-reply" services again from "Exclude Services" within the VPN community

After policy install, pings between VPN gateways are possible and not encrypted.

Pings between endpoints are working too and being encrypted.

Kind regards,

Lode

Are you a member of CheckMates?

R80.10: IPsec VPN - allow unencrypted pings between gateways

Scenario 3 - Implied inclusion of Check Point Security Gateway's / 3rd party VPN Peer's interfaces