This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
isuckatthis
Contributor
‎2025-04-30 09:21 AM
Jump to solution

VPN community routing not working

Hello smarter than I people!

I have a Checkpoint to Checkpoint VPN. We're using a community. The traffic gets to the Checkpoint FW VPN concentrator and is not routed across the VPN.

How do I troubleshoot this?

The encryption domain on the remote side shows the correct subnets.

 

I've attached images showing the community, logs showing the traffic is not encrypted, a traceroute showing the FW is sending the traffic back to the router then the router back to the FW then the FW back to the router until the end of time (or TTL expires).

 

I have no idea how to troubleshoot this. Help! 😞 

 
 

routing.pnglog.pngtrace.png

0 Kudos
71 Replies
the_rock
MVP Gold
MVP Gold
‎2025-04-30 12:15 PM
In response to isuckatthis
Jump to solution

I think I now see what your issue is. Please change in community vpn tunnel sharing options per subnet, NOT per gateway, as per gateway option will do universal 0.0.0.0/0 subnet.

Andy

Best,
Andy
0 Kudos
isuckatthis
Contributor
‎2025-04-30 02:17 PM
In response to the_rock
Jump to solution

Which one? I have many issues. 😂
Testing now.............

No go. Changed to per subnet and the traffic is still not tunneled.

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-04-30 10:19 AM
Jump to solution

The routers sends back the traffic because it is being send out unencrypted. 

Routers sees: dst: 10.59.78.2 it would route this back to the fw. It should see the public IP of the remote peer.

Between the public peer IPs you should see ike 500 and ESP traffic. No RFC1918 traffic. Router should only see encrtyped traffic.

So focus on why it is not encrypted. You have checked the remote side encryption domain but also check local side 10.59.78.2 I suspect this host / network is not in local enc domain. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
isuckatthis
Contributor
‎2025-04-30 10:22 AM
In response to Lesley
Jump to solution

The source IP of the traffic behind the hub is in the hubs encryption domain object.

0 Kudos
isuckatthis
Contributor
‎2025-04-30 02:26 PM
In response to Lesley
Jump to solution

Agreed, it's not tunneling to the spoke. I don't know why. All I know is that the encryption domain tells the FW what to tunnel. Am I wrong? Are there other pieces that I'm missing?

This is my encryption domains. I've applied them on the side where that network lives. For example, my remote site hosts the network 10.59.78.0/24. Therefore, I've created a network object for that subnet and used that object (ThompsonTesting...) in the VPN domain on the REMOTE FW. I assume that is telling the hub "go to the remote for 10.59.78.0"

Vice versa, I've created three objects to be used by the hub side VPN domain. 10.59.40.69 (a loop back on a router which I'm using to test) then two additional networks that are prod. 

I don't think so, but, should I be putting the opposite sides networks inside the VPN domain for the local host?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-04-30 03:54 PM
In response to isuckatthis
Jump to solution

What time zone are you in? Happy to do remote later if you are free or tomorrow morning, let me know. Im in EST.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-05-01 04:20 AM
In response to isuckatthis
Jump to solution

If you see this message before 9 am EST, be free to send me a DM, we can do remote (If you are allowed and willing to do it). I would really like to have a look at the config, because I have a gut feeling something trivial is missing here.

Andy

Best,
Andy
(1)
isuckatthis
Contributor
‎2025-05-01 06:45 AM
In response to the_rock
Jump to solution

Hey Andy, I really appreciate the offer! 

I saw Duane post last night but now I think it's been deleted. I understood from it that the VPN Domain does NOT add a top secret hidden route, I will need to add a route and ensure it's egress is the external interface on this firewall.

I'm about to test that now. I'd be happy to have a remote session if you're interested. 

 

 

Tested and now the traffic is being dropped for spoofing. We have anti-spoofing enabled on the inside interface and it's using the 10.59.0.0/16. I'm assuming this is the FW logic:
1 packet comes in and is to be routed out the external interface based on my /24 route

2 FW says "wait a minute, 10.59.0.0/16 is all behind the inside interface based on the anti-spoofing list you've configured in me"

3 FW drops the traffic even though I am also telling it "route out your external interface for 10.59.78.0/24"

 

So now it seems that I have to make 255 individual /24's and add them to an anti spoofing list and remove the 10.59.0.0/16, that seems, inefficient. I don't have any anti-spoofing list on the external interface. I assume that if it's labeled as "external" it means anything NOT behind any other interfaces.

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2025-05-01 06:52 AM
In response to isuckatthis
Jump to solution

Correct, domain-based VPNs do not add routes to the routing table (unless you have RIM configured, but that's not this).

My post from last night is still here in the thread, too.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
the_rock
MVP Gold
MVP Gold
‎2025-05-01 06:54 AM
In response to isuckatthis
Jump to solution

What time zone are you in? I can do say 4 pm est.

Andy

Best,
Andy
0 Kudos
isuckatthis
Contributor
‎2025-05-08 07:43 AM
Jump to solution

Thank you all for helping with this, the tunnel is UP!

My problem was a slight domino effect. 

1) I understood the VPN Domains incorrectly
2) As was mentioned by a couple folks, I cannot have overlap in the VPN Domain. The resolution for this is pretty cool and I got to learn something new! We made a Network Group with Exclusion! The main object included 10.59.0.0/16 and the except value was 10.59.78.0/24, works perfectly!

Thank you all for your time invested in helping me understand this. The best part about it was learning something new that I can apply in the future!

group exclusion.png

(1)
the_rock
MVP Gold
MVP Gold
‎2025-05-08 07:55 AM
In response to isuckatthis
Jump to solution

Thats EXCELLENT, good to keep in mind! Great job.

ANyd

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events