This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Johannes_Schoen
Collaborator
‎2019-02-01 04:52 AM

VPN Tunneled traffic is blocked - Address Spoofing

Hi Community,

I got a annoying strange behavior:

Perimeter Checkpoint, Transfernet to Core Firewall with topoloy RFC1918 networks.

New VPN tunnel with a /24 net from 10.0.0.0/8 range.

Excluded tunneled network from address spoofing on external interface.

Created a Group RFC1918 networks with Exclusion of tunneld /24 network.

Set that group with exclusion to transfernet core-firewall interface

Traffic from VPN tunnel arrives, but dropped because of address spoofing.

What am I missing?

Help is much appreciated

Best Regards

Johannes

7 Replies
Mark_Mitchell
Advisor
‎2019-02-01 06:58 AM

Hi Johannes, 

Can I ask which appliances you are configuring this on please? Have you defined your internet facing interface as an "External" interface?

Are both the perimeter and internal firewalls Check Point appliances?

I don't suppose you have a topology of the configuration to make it easier to visualise? And a copy of the log file entry if possible? 

Regards

Mark

Johannes_Schoen
Collaborator
‎2019-02-21 01:27 AM
In response to Mark_Mitchell

Hi Mark,

I'm sorry for my late response - the notification mails were sacked as spam....

One of them is a 5900-HPP VRRP-Cluster with R77.30

The other one is a 3100 ClusterXL with R88.20

Both internal appliances are Checkpoint, our managment firewall is an interoperable device, but the drops are seen on Checkpoint side.

Topology is set to best practice (address spoofing enabled based on topology, internal nets, external net, dmz net und transfernets are marked)

This is the drop message:

Best Regards

Johannes

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-02-21 01:36 AM
In response to Johannes_Schoen

Johannes,

On the Internet facing interface there is an option Do not check Spoofing from: in that field add a group, External_networks_over_VPN and add all remote VPN located networks to that group.

Sorry, missed that one line that you did already. You should double check on which interface the traffic is dropped been there to many times that the return traffic was dropped on the internal interface instead...

Regards, Maarten
0 Kudos
Johannes_Schoen
Collaborator
‎2019-02-21 01:47 AM
In response to Maarten_Sjouw

Hi Maarten,

I already excluded the tunneled network from monitoring side, but that didn't help either.

The ping/snmp traffic is dropped on the management interface (as seen in the screenshot above, received unencrypted packet should be encrypted)

0 Kudos
Mark_Mitchell
Advisor
‎2019-02-22 11:54 AM
In response to Johannes_Schoen

Hi Johannes, 

Not a problem at all. Smiley Happy 

It does look like it is a configuration issue. Could you check your encryption domains to ensure that all is setup correctly?

Have you attempted to complete a VPN debug yet?

How to generate a valid VPN debug, IKE debug and FW Monitor  

I appreciate that your VPN debug's will contain sensitive information. But if you needed a hand interpreting the outputs, just let me know. 

Regards

Mark

Johannes_Schoen
Collaborator
‎2019-03-18 04:15 AM
In response to Mark_Mitchell

Dear Mark,

I think a vpn debug is not necessary.
The encryption domains and the tunnel itself is fine.

My only problem is, that the secondary node cannot be accessed from our encryption domain, because of drops from ipsec blade "Clear text packet should be encrypted".

I'm confused, because we have other situations with Check Point where exactly the same configuration is working.
I opened up a case with Check Point, but the answers take a long time so far.

0 Kudos
Danny
Champion Champion
Champion
‎2019-03-18 04:37 AM
In response to Johannes_Schoen

Typically sk147493 will solve this issue. However, Check Point seems to have changed this behavior since R80.10 as we are having the same issue.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events