This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kristian_Nyquis
Contributor
‎2018-05-16 02:12 AM

Dropping VPN package

Hi

I have configured a VPN tunnel between a 1430 and my central checkpoint Firewall (R80.10).

The VPN tunnel is connected but the test packed towards 8.8.8.8 is blocked.

In the fw monitor i get the following

[vs_0][fw_0] eth1:i[68]: 172.16.50.50 -> 8.8.8.8 (UDP) len=68 id=21028
UDP: 58832 -> 53
[vs_0][fw_0] eth1:i[68]: 172.16.50.50 -> 8.8.8.8 (UDP) len=68 id=21029
UDP: 58832 -> 53
[vs_0][fw_0] eth1:i[65]: 172.16.50.50 -> 8.8.8.8 (UDP) len=65 id=21030
UDP: 42110 -> 53
[vs_0][fw_1] eth1:i[68]: 172.16.50.50 -> 8.8.8.8 (UDP) len=68 id=21031
UDP: 58832 -> 53

What policy is it that I need to make changes to?

The 1430 is configured as a Interoperable Device  with a fixed IP number of the WAN interface my 4G connection, in the topology i am using the same IP on the External network .

0 Kudos
6 Replies
ED
Advisor
‎2018-05-16 04:25 AM

Hi,

Take a look at sk64060 https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Kristian_Nyquis
Contributor
‎2018-05-16 06:35 AM
In response to ED

I have now this working, I made two changes.

1. On my central FW I changed the VPN Domain to the 172.16.50.X/24 network on the "Interoperable Device"

2. On the 1430 I changed cleared the checkbox for "Disabel NAT for this site" in the VPN settings

.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2018-05-16 05:30 AM

Why is the 1430 is configured as an Interoperable Device and not as a 1430 ? Do you use local management on it ? That would be rather bad...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Kristian_Nyquis
Contributor
‎2018-05-16 06:32 AM
In response to G_W_Albrecht

At the moment I use local management of the device, during the summer i am going to move to central management.

0 Kudos
Houssameddine_1
Collaborator
‎2018-05-16 10:28 AM

You have an encryption domain issue. The R80.10 doesn't know that 8.8.8.8 is part of its encryption domain. Make sure in the vpn community to change the VPN routing option to be  "To center or through center to other satellites, to Internet abd other VPN targets", I'm assuming that you configured the 1430 to route all the traffic in the webui through the R80.10 GW. Make sure you have a Hide NAT rule on the R80.10 GW to hide traffic from behind the 1430 networks to the internet, because the internet should return the traffic to the R80.10 GW.

I noticed in the log the source is 172.16.50.50 after the decryption of the packet is that the external IP of the 1430 are doing Hide NAT behind the 1430 external IP? 

Please Make sure to include the 172.16.50.x and the 192.168.130.x networks in smartconsole for the encryption domain of the 1430 device and try to change it to be Externally managed checkpoint device.

Kristian_Nyquis
Contributor
‎2018-05-17 04:16 AM
In response to Houssameddine_1

That is how it was configuerd on my system, now have it working after making the changes above.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events