This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
minhhaivietnam
Collaborator
‎2021-06-23 03:45 AM

VPN IPSEC between Juniper SRX and Checkpoint R80.10 error

Hello Mates,

I am configuring VPN IPSEC between Juniper SRX and Checkpoint R80.10 like this topology. The tunnel already is UP. 

tp1.png

TUNNEL is UP.

tp2.png

 

But when I ping from Juniper-LAN to Checkpoint-LAN. Not success! I saw log in checkpoint,it says that "According to the policy the packet should not be decrypted"

tp3.png

I search on some forums, they said that is because of overlapping subnets of two site (Juniper and Checkpoint). But in my topology, it is definitely not overlapping anything.

Could someone please help me know why?

Thank you.

0 Kudos
7 Replies
G_W_Albrecht
Legend Legend
Legend
‎2021-06-23 04:05 AM

sk167655 ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
minhhaivietnam
Collaborator
‎2021-06-23 04:12 AM
In response to G_W_Albrecht

Hello bro,

Here I'm not using NAT in my topology (is this OK?), Here is my VPN Domaintp3.png

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2021-06-23 04:26 AM
In response to minhhaivietnam

Can you show Tunnels on Community and double-click it to see if VPN is up both ways? And show the policy the error refers to ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Timothy_Hall
Legend Legend
Legend
‎2021-06-23 06:21 AM

Here is an excerpt from a VPN Interoperability handout I provide when teaching the CCTA class that explains this somewhat confusing error message, based on your log entry it looks like either your firewall's VPN domain or the peer object's VPN domain are not defined correctly and completely:

Packet was Decrypted, but Policy Says Packet Should not have been
decrypted – An encrypted packet was received by your firewall that was
decrypted successfully but one of the following has occurred:

• The source IP address on the decrypted packet does not correspond to
the known VPN domain of the VPN peer, or the destination IP address
does not fall within your own firewall's defined VPN domain. This is
most commonly caused by inappropriate NAT rules being applied to VPN
traffic on the VPN peer side; selecting Disable NAT in VPN Community
on the VPN peer’s settings will usually solve this problem.

• There is an overlap between the VPN domain of your firewall and the
VPN domain definition of the peer firewall; you or your peer may have
defined an overly-generous conflicting network such as 10.0.0.0/8 or
192.168.0.0/16 in your VPN domain and/or antispoofing setup. The
command vpn overlap_encdom communities –s run on the Security
Gateway will display any VPN Domain overlap conditions. Consider using
a Group w/ Exclusion object (where the peer’s VPN domain is excluded)
as your firewall’s VPN domain to get around this issue.

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
minhhaivietnam
Collaborator
‎2021-06-24 12:52 AM
In response to Timothy_Hall

Hello Mr. Timothy_Hall,

After I run command vpn overlap_encdom communities –s , it show no overlap domain. Then I re-configure VPN from the begin on Checkpoint side, and then found that I forgot to adjust "Topology section" of LAN-Juniper-subnet in "Interoperable Device" like below: from "external" to "internal". Then error was resolved. Thanks for support.

 tp1.png

Thanks for support!

the_rock
Legend
Legend
‎2021-06-24 03:59 PM
In response to minhhaivietnam

Ok, great...so really nothing terribly wrong you did, thats small mistake anyone can make.

0 Kudos
the_rock
Legend
Legend
‎2021-06-23 06:33 AM

@Timothy_Hall brought up a good suggestion. Try command vpn overlap_encdom and see if you get any results. That would tell you 100% for sure if it overlaps or not.

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events