Hi all, 

I'm trying to set up Route based VPN between Checkpoint R77. 30 and Cisco router, so the traffic from box behind Checkpoint can get to the Internet over VPN through remote Cisco router.

My setup is very simple 

First location:

L1 in VLAN 333 access mode (Linux box with IP 192.168.11.13/24, gw 192.168.11.1 (Cluster IP on Checkpoint) 

Checkpoint cluster with outgoing interface VIP 109.233.62.20 (just for testing) on bond0 (nodes 109.233.62.21 and 22), default gw 109.233.62.1

--

192.168.11.1 on bond1.333 (vlan 333), nodes on 192.168.11.2 and 3.

Second location:

Cisco router 7606 with SPA-400/IPSec2G module.

External IP vlan 2: 185.15.210.41, def gw:. 40

Loopback0: 192.168.16.1/24

Tunnel1: ip unnumbered Loopback0

I followed a guide to do it with Policy based routing and tunnel interface (vpnt1) and it's setup to send all the traffic coming from 192.168.11.0/24 network on bond1.333 into vpnt1 interface. Now, I'm getting pings from L1 box to 192.168.16.1 just fine, so the tunnel works. NAT inside VPN community is disabled. However, when I try to do ping from L1 box towards 8.8.8.8 packets are not going into the tunnel, it seems. What I see in Log Viewer is that first ICMP packet is getting into the tunnel, however the second one is attempted to be sent unencrypted over bond1.333 interface.

I'm not sure why this is happening, are there any files needed to be edited? I tried to enable/disable implied rules, didn't make much difference.Tried to turn off SecureXL too, nope, didn't help either. 

Not getting resolves (DNS) either,btw.

Any ideas?

Thanks in advance. 

Best regards, 

Michael

P.S. I edited original post and now both replies are gone.

Anyway, I fugured it out - in fw monitor packets are actually in correct order, so this is OK.

But why it didn't work out - the reason is that Cisco 7600 series do not have functionality of VRF NAT, which is needed in this case. I'll get some other router to play with, I believe this is where the problem is.

Thank you all for replying.