This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Stefano_Cappell
Participant
‎2020-10-02 03:08 AM
Jump to solution

IPSEC ESP packets arrive but no ICPM can be seen

Hi

I just configured an IPSEC vpn with another firewall: The tunnel is up but no packet can be seen getting out from the tunnel.

We just checked the two configurations and they match.

On the remote site they can see the packets (they are just doing a ping) getting encripted and exiting from the vpn virtual interface. On our side we can see the isakmp packets and the esp packet arriving with the ping "pace" but if I dump the icmp traffic filtering for their IP, no packet can be seen.

The vpn tu tlist -p [remote host]  Command shows all the correct parameters and correct local and remote networks.

What can this be about?  

 

2020-10-02 12_01_32-Window.png
Preview file
155 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-10-03 02:23 PM
Jump to solution

What does fw ctl zdebug drop say?

View solution in original post

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2020-10-03 02:23 PM
Jump to solution

What does fw ctl zdebug drop say?

0 Kudos
Stefano_Cappell
Participant
‎2020-10-05 01:24 AM
In response to PhoneBoy
Jump to solution

EDIT: I've checked again the configuration of the vpn community another time and I've found out that there was no encryption domain configured in the interoperable device for the remote firewall...

I was so sure I had configured and double-checked the remote encryption domain...

Anyway. Thanks!

 

.....................................  

It says

 dropped by vpn_drop_and_log Reason: According to the policy the packet should not have been decrypted

 

I've tried to check this with some info on the internet, I checked the encryption domains: their destination is inside our encryption domain and there shouldn't be any overlapping between their source network and our encryption domain.

 

I just can't understand what's wrong with this vpn

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-10-05 06:40 AM
In response to Stefano_Cappell
Jump to solution

Other side is improperly NATing traffic into the tunnel, and it isn't matching what your firewall is expecting to see from the peer object in regards to their VPN domain.

Otherwise there is an overlap in VPN domains somewhere, run vpn overlap_encdom communities -s to find it.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top