Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Stefano_Cappell
Participant

IPSEC ESP packets arrive but no ICPM can be seen

Jump to solution

Hi

I just configured an IPSEC vpn with another firewall: The tunnel is up but no packet can be seen getting out from the tunnel.

We just checked the two configurations and they match.

On the remote site they can see the packets (they are just doing a ping) getting encripted and exiting from the vpn virtual interface. On our side we can see the isakmp packets and the esp packet arriving with the ping "pace" but if I dump the icmp traffic filtering for their IP, no packet can be seen.

The vpn tu tlist -p [remote host]  Command shows all the correct parameters and correct local and remote networks.

What can this be about?  

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

What does fw ctl zdebug drop say?

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

What does fw ctl zdebug drop say?

View solution in original post

0 Kudos
Stefano_Cappell
Participant

EDIT: I've checked again the configuration of the vpn community another time and I've found out that there was no encryption domain configured in the interoperable device for the remote firewall...

I was so sure I had configured and double-checked the remote encryption domain...

Anyway. Thanks!

 

.....................................  

It says

 dropped by vpn_drop_and_log Reason: According to the policy the packet should not have been decrypted

 

I've tried to check this with some info on the internet, I checked the encryption domains: their destination is inside our encryption domain and there shouldn't be any overlapping between their source network and our encryption domain.

 

I just can't understand what's wrong with this vpn

0 Kudos
Timothy_Hall
Champion
Champion

Other side is improperly NATing traffic into the tunnel, and it isn't matching what your firewall is expecting to see from the peer object in regards to their VPN domain.

Otherwise there is an overlap in VPN domains somewhere, run vpn overlap_encdom communities -s to find it.

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos