Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Lode_De_Feyter
Explorer

R80.10: IPsec VPN - allow unencrypted pings between gateways

Hi all, 

This is my very first question on CheckMates. Exciting! 😉

I’m struggling with an IPsec VPN issue.

 

I’m setting up a very basic VPN between our Check Point gateway (R80.10) in Brussels and one peer gateway in Amsterdam, non-Check Point, managed by a business partner of ours.

I’m configuring that VPN as a “star” VPN community with one “center” gateway (our own) and one “satelite” gateway (the one in Amsterdam).
VPN comes up and is working. So far, so good.

Now, this particular partner in Amsterdam has the requirement to be able to ping from their gateway to ours. That is: unencrypted, straight over internet.

Those pings are blocked by our firewall with the message “Encryption Failure - Clear text packet should be encrypted

That seems logical, because in the VPN community I created, I read following remark: “All the connections between the Gateways below and the Satellite Gateways will be encrypted.

 

Within that same VPN community I have the option to “Exclude Services” from the community, resulting in these services not being encrypted.
When I add “echo-request” and “echo-reply” services in there, the peer gateway indeed is able to ping our gateway.

However, at the same time, pings between endpoint devices, that should be routed and encrypted throught the VPN are no longer working at that moment, and blocked by our gateway with the message: “Encryption Failure - According to the policy the packet should not have been decrypted

  

How can I solve this deadlock and allow un-encrypted pings between gateways and, at the same time, allow encrypted pings between endpoints passing through the VPN?

 

I’m not quickly finding a solution on Google or CP’s KB.

 

Thanks for your advice!

Kind regards,

Lode

4 Replies
Jerry
Mentor
Mentor

welcome to the club Smiley Happy

see this article first:

https://community.checkpoint.com/thread/10807-vpn-exclusions-made-inside-fwdirlibcryptdef-does-not-w...

and then if not helpful search for crypt..def and exclusions you do on Management server.

Cheers

Jerry

Jerry
0 Kudos
Maarten_Sjouw
Champion
Champion

Maybe useful to mention this part of the SK:

Scenario 3 - Implied inclusion of Check Point Security Gateway's / 3rd party VPN Peer's interfaces

Regards, Maarten
0 Kudos
Jerry
Mentor
Mentor

$FWDIR/lib/crypt.def 

sk86582

modify according to the sk's and CCC from Dany Smiley Happy

Jerry
0 Kudos
Lode_De_Feyter
Explorer

Thanks for your replies, Jerry Szpinak‌ and Maarten Sjouw
Both were usefull!

I solved it by modifying the $FWDIR/lib/crypt.def file as follows:

  

Replaced these 3 lines:

                #ifndef NON_VPN_TRAFFIC_RULES

                #define NON_VPN_TRAFFIC_RULES 0

                #endif

 

With these lines:

                FW-MYCOMPANY_BRUS={12.34.56.78};

                FW-PARTNER_AMST={87.65.43.21};

 

                #ifndef NON_VPN_TRAFFIC_RULES

                #ifndef IPV6_FLAVOR

                #define NON_VPN_TRAFFIC_RULES (((src in FW-MYCOMPANY_BRUS) and (dst in FWPARTNER_AMST)) or ((src in FWPARTNER_AMST) and (dst in FW-MYCOMPANY_BRUS)))

                #else

                #define NON_VPN_TRAFFIC_RULES 0

                #endif

                #endif

 

I also removed the "echo-request" and "echo-reply" services again from "Exclude Services" within the VPN community

 

After policy install, pings between VPN gateways are possible and not encrypted.

Pings between endpoints are working too and being encrypted.

Kind regards,

Lode

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events