Create a Post
Showing results for 
Search instead for 
Did you mean: 

Why am I seeing incorrect packet order in Route based VPN?

Hi all, 

I'm trying to set up Route based VPN between Checkpoint R77. 30 and Cisco router, so the traffic from box behind Checkpoint can get to the Internet over VPN through remote Cisco router.

My setup is very simple 

First location:

L1 in VLAN 333 access mode (Linux box with IP, gw (Cluster IP on Checkpoint) 

Checkpoint cluster with outgoing interface VIP (just for testing) on bond0 (nodes and 22), default gw

-- on bond1.333 (vlan 333), nodes on and 3.

Second location:

Cisco router 7606 with SPA-400/IPSec2G module.

External IP vlan 2:, def gw:. 40


Tunnel1: ip unnumbered Loopback0

I followed a guide to do it with Policy based routing and tunnel interface (vpnt1) and it's setup to send all the traffic coming from network on bond1.333 into vpnt1 interface. Now, I'm getting pings from L1 box to just fine, so the tunnel works. NAT inside VPN community is disabled. However, when I try to do ping from L1 box towards packets are not going into the tunnel, it seems. What I see in Log Viewer is that first ICMP packet is getting into the tunnel, however the second one is attempted to be sent unencrypted over bond1.333 interface.

I'm not sure why this is happening, are there any files needed to be edited? I tried to enable/disable implied rules, didn't make much difference.Tried to turn off SecureXL too, nope, didn't help either. 

Not getting resolves (DNS) either,btw.

Any ideas?

Thanks in advance. 

Best regards, 


P.S. I edited original post and now both replies are gone.

Anyway, I fugured it out - in fw monitor packets are actually in correct order, so this is OK.

But why it didn't work out - the reason is that Cisco 7600 series do not have functionality of VRF NAT, which is needed in this case. I'll get some other router to play with, I believe this is where the problem is.

Thank you all for replying.

0 Kudos
4 Replies

Have you tuned off CoreXL (not SecureXL)?  Route-based VPN and CoreXL are incompatible in R77.30 and earlier; this limitation was rectified in R80.10 gateway.

Second Edition of my "Max Power" Firewall Book
Now Available at

Watch My 2023 CPX360 Speech Titled "Max Power
Reloaded: R81+ Gateway Performance Innovations"
0 Kudos

A very good reason to try this in R80.10 instead of R77.30 Smiley Happy

0 Kudos

I did try to disable CoreXL, rebooted both nodes, didn't change a thing.

R80.10 is definitely on a list for the future, however I cannot do it now.

0 Kudos

What's your routing table on the gateway?

Only things the routing table says to go through the VTI will actually be encrypted.

0 Kudos