Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michael_Jacobse
Explorer

Why am I seeing incorrect packet order in Route based VPN?

Hi all, 

I'm trying to set up Route based VPN between Checkpoint R77. 30 and Cisco router, so the traffic from box behind Checkpoint can get to the Internet over VPN through remote Cisco router.

My setup is very simple 

First location:

L1 in VLAN 333 access mode (Linux box with IP 192.168.11.13/24, gw 192.168.11.1 (Cluster IP on Checkpoint) 

Checkpoint cluster with outgoing interface VIP 109.233.62.20 (just for testing) on bond0 (nodes 109.233.62.21 and 22), default gw 109.233.62.1

--

192.168.11.1 on bond1.333 (vlan 333), nodes on 192.168.11.2 and 3.

Second location:

Cisco router 7606 with SPA-400/IPSec2G module.

External IP vlan 2: 185.15.210.41, def gw:. 40

Loopback0: 192.168.16.1/24

Tunnel1: ip unnumbered Loopback0

I followed a guide to do it with Policy based routing and tunnel interface (vpnt1) and it's setup to send all the traffic coming from 192.168.11.0/24 network on bond1.333 into vpnt1 interface. Now, I'm getting pings from L1 box to 192.168.16.1 just fine, so the tunnel works. NAT inside VPN community is disabled. However, when I try to do ping from L1 box towards 8.8.8.8 packets are not going into the tunnel, it seems. What I see in Log Viewer is that first ICMP packet is getting into the tunnel, however the second one is attempted to be sent unencrypted over bond1.333 interface.

I'm not sure why this is happening, are there any files needed to be edited? I tried to enable/disable implied rules, didn't make much difference.Tried to turn off SecureXL too, nope, didn't help either. 

Not getting resolves (DNS) either,btw.

Any ideas?

Thanks in advance. 

Best regards, 

Michael

P.S. I edited original post and now both replies are gone.

Anyway, I fugured it out - in fw monitor packets are actually in correct order, so this is OK.

But why it didn't work out - the reason is that Cisco 7600 series do not have functionality of VRF NAT, which is needed in this case. I'll get some other router to play with, I believe this is where the problem is.

Thank you all for replying.

0 Kudos
4 Replies
Timothy_Hall
Champion
Champion

Have you tuned off CoreXL (not SecureXL)?  Route-based VPN and CoreXL are incompatible in R77.30 and earlier; this limitation was rectified in R80.10 gateway.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin

A very good reason to try this in R80.10 instead of R77.30 Smiley Happy

0 Kudos
Michael_Jacobse
Explorer

I did try to disable CoreXL, rebooted both nodes, didn't change a thing.

R80.10 is definitely on a list for the future, however I cannot do it now.

0 Kudos
PhoneBoy
Admin
Admin

What's your routing table on the gateway?

Only things the routing table says to go through the VTI will actually be encrypted.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events