This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Michael_Jacobse
Explorer
‎2018-12-08 03:53 PM

Why am I seeing incorrect packet order in Route based VPN?

Hi all, 

I'm trying to set up Route based VPN between Checkpoint R77. 30 and Cisco router, so the traffic from box behind Checkpoint can get to the Internet over VPN through remote Cisco router.

My setup is very simple 

First location:

L1 in VLAN 333 access mode (Linux box with IP 192.168.11.13/24, gw 192.168.11.1 (Cluster IP on Checkpoint) 

Checkpoint cluster with outgoing interface VIP 109.233.62.20 (just for testing) on bond0 (nodes 109.233.62.21 and 22), default gw 109.233.62.1

--

192.168.11.1 on bond1.333 (vlan 333), nodes on 192.168.11.2 and 3.

Second location:

Cisco router 7606 with SPA-400/IPSec2G module.

External IP vlan 2: 185.15.210.41, def gw:. 40

Loopback0: 192.168.16.1/24

Tunnel1: ip unnumbered Loopback0

I followed a guide to do it with Policy based routing and tunnel interface (vpnt1) and it's setup to send all the traffic coming from 192.168.11.0/24 network on bond1.333 into vpnt1 interface. Now, I'm getting pings from L1 box to 192.168.16.1 just fine, so the tunnel works. NAT inside VPN community is disabled. However, when I try to do ping from L1 box towards 8.8.8.8 packets are not going into the tunnel, it seems. What I see in Log Viewer is that first ICMP packet is getting into the tunnel, however the second one is attempted to be sent unencrypted over bond1.333 interface.

I'm not sure why this is happening, are there any files needed to be edited? I tried to enable/disable implied rules, didn't make much difference.Tried to turn off SecureXL too, nope, didn't help either. 

Not getting resolves (DNS) either,btw.

Any ideas?

Thanks in advance. 

Best regards, 

Michael

P.S. I edited original post and now both replies are gone.

Anyway, I fugured it out - in fw monitor packets are actually in correct order, so this is OK.

But why it didn't work out - the reason is that Cisco 7600 series do not have functionality of VRF NAT, which is needed in this case. I'll get some other router to play with, I believe this is where the problem is.

Thank you all for replying.

0 Kudos
4 Replies
Timothy_Hall
Champion
Champion
‎2018-12-09 07:04 AM

Have you tuned off CoreXL (not SecureXL)?  Route-based VPN and CoreXL are incompatible in R77.30 and earlier; this limitation was rectified in R80.10 gateway.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"
0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-09 07:31 AM
In response to Timothy_Hall

A very good reason to try this in R80.10 instead of R77.30 Smiley Happy

0 Kudos
Michael_Jacobse
Explorer
‎2018-12-09 01:48 PM
In response to Timothy_Hall

I did try to disable CoreXL, rebooted both nodes, didn't change a thing.

R80.10 is definitely on a list for the future, however I cannot do it now.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-09 07:27 AM

What's your routing table on the gateway?

Only things the routing table says to go through the VTI will actually be encrypted.

0 Kudos