This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
taib_charkaoui
Explorer
‎2019-01-01 09:40 AM
Jump to solution

IPSec VPN between Checkpoint and Cisco ASA

Hi All,

im having really tought time establishing inbound connectivity from a third party Cisco ASA to my perimeter Checkpoint firewall. I am using R.76 and not R.80

I have an existing VPN created that permits outbound access from my internal servers to a 3rd party server.

The source of the Outbound traffic (FROM internal server to 3rd Party server) is hidden behind a single static NAT IP address. This access works.

My issue is establishing traffic Inbound (FROM 3rd party server to local internal server).

Traffic from the 3rd party is destined for a hide address that i translate to the real IP address of my internal server.

I can see the VPN attempt to establish and then get an error : "encryption Fail Reason: Received a cleartext packet within an encrypted connection".

I've done the usual troubleshooting and this error usually means that the encryption domains on either side do not match, however from what i can see they do.

Under the topology section of the gateway i have the VPN domains manually defined and include all the subnets that will be permitted to go through the VPN from my side, including the NAT addresses.

And under the VPN settings for the destination i have the subnet of the destination 3rd party servers.

Is there something i am missing, below are the things i've tried:-

  • checked encryption domains on both sides, they appear to match
  • checked VPN tunnel sharing to "one vpn tunnel per subnet pair"
  • checked VPN type to meshed

After each time i went on to the CLI of the gateway and cleared both IPSec and IKEs for the IPSec gateway and no change: outbound from us to them works, but they cannot initiate an inbound connection to a server i have control of.

any help is greatly appreciated, and i can provide additional detail if required.

thanks.

Preview file
63 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-01-03 06:15 AM
In response to taib_charkaoui
Jump to solution

This is unencrypted traffic, as the error messages were suggesting.

(Well, ok, SSH is technically encrypted but it's not IPsec)

This means the problem is on the remote end.

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2019-01-01 10:38 AM
Jump to solution

I would use a tcpdump or fw monitor to validate whether you are, in fact, receiving packets from the remote site in plaintext.

If you are, the misconfiguration is on the other side. 

See also: Debugging Site-to-Site VPN

While I'm not aware of any specific issues in R76 related to this, keep in mind R76 (unless it's R76SP) is no longer supported.

You should look at upgrading to a supported version.

0 Kudos
taib_charkaoui
Explorer
‎2019-01-01 10:48 AM
In response to PhoneBoy
Jump to solution

Thanks for the response.

if i do a TCP dump i can check that there is traffic coming from the source subnet (the 3rd party).

But there shouldnt be anything particularly complicated in configuring an IPSec VPN to allow Inbound as opposed to outbound only traffic right?

The issue is if i am going to go back to the 3rd party to tell them their config needs amending i need, to be sure.

thanks again

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-01 05:19 PM
In response to taib_charkaoui
Jump to solution

If you see anything in the tcpdump that looks like it comes from hosts behind the VPN Endpoint (e.g. SSH as shown in your log entry) that means the remote end is not encrypting the traffic.

That can only be fixed on the remote end.

0 Kudos
taib_charkaoui
Explorer
‎2019-01-02 09:32 AM
In response to PhoneBoy
Jump to solution

Hi Dameon - so i did the TCPDump and could see traffic coming in from the 3rd party peer, as per the existing encryption domain on my side, so that is what is confusing me:-

  1. traffic is coming from 10.199.3.96/28 as per the encryption domain configured on under the VPN gateway on my checkpoint firewall.
  2. the local VPN encryption domain includes both the NAT hide address the 3rd party is trying to get to and the real address of the server that the NAT hide address is being translated to.

below is the detail shown in the packet when the vpn is setting up.

VPN Encryption packet detail

And finally i've attached a picture of the order of packets taken from smartview tracker, with the packets marked with a padlock showing the setup of the VPN, and then the drop notification, and the repeat of this after each attempt

smartview tracker output

so it looks like the encryption domains are correct, 

appreciate the assistance Dameon

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-02 10:25 AM
In response to taib_charkaoui
Jump to solution

It would helpful if you pasted the exact output from tcpdump that you're seeing.

The only thing you should be seeing there is IKE and IPsec traffic from the peer.

0 Kudos
taib_charkaoui
Explorer
‎2019-01-03 03:01 AM
In response to PhoneBoy
Jump to solution

So below is the TCPdump capture, i see when i ask the 3rd party to initiate traffic.

The 10.199.3.97 address is the source address that the 3rd party is coming from (FYI this is also a nat'd address as we cannot see their real ip addresses)

The 10.199.2.11 address is the NAT address on my side that i have hidden the real ip address of my server behind.

TCPDump Capture

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-03 06:15 AM
In response to taib_charkaoui
Jump to solution

This is unencrypted traffic, as the error messages were suggesting.

(Well, ok, SSH is technically encrypted but it's not IPsec)

This means the problem is on the remote end.

taib_charkaoui
Explorer
‎2019-01-03 07:09 AM
In response to PhoneBoy
Jump to solution

Hi Dameon, this is what i thought.

Potentially their end had different encryption domains and i was trying to match them by changing config on my side, but if they are not encrypting the traffic in the first place then there shouldnt be anything i can do.

I will get back to them and press for them to re-look at things. in the meantime i will mark your last answer as correct.

many thanks for your assistance.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫