This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
Advisor
‎2024-06-25 09:12 AM

PC behind SMB

Hi,

All traffic from our office site (SMB) is routed over VPN to our central site. This setup includes routing all internet-bound traffic, including DNS lookups, through the DC site.

It is route-based VPN configuration, where the encryption domain is empty, the DC gateway expects all traffic originating from our specific remote gateway (SMB) to be encrypted.

However, I'm encountering the error message "Clear text packet should be encrypted" specifically for traffic originating from a PC behind the SMB firewall.

Here are the details:

  • Pinging from  the SMB device works without issues.
  • The PC behind the SMB firewall has IP address 192.168.3.10 and its default gateway is set to 192.168.3.1, which is the SMB firewall itself.
  • There is a static route configured to send traffic from the 192.168.3.0 network (SMB network) to the central site. At the central site, there is a corresponding static route to send the traffic back to the SMB network.

Despite these configurations, the PC behind the SMB firewall is unable to access the internet. All logs indicate that packets from this PC are being dropped with the message "Clear text packet should be encrypted."

This issue suggests that there might be a misconfiguration in how encryption is handled for traffic originating from the PC behind the SMB firewall, possibly related to VPN encryption settings, security policies, or routing. I'm seeking guidance on how to resolve this issue and ensure that all traffic, including internet-bound traffic, is correctly encrypted and routed through the VPN to the central site.

0 Kudos
18 Replies
PhoneBoy
Admin
Admin
‎2024-06-25 10:08 AM

Sounds like this might apply: https://support.checkpoint.com/results/sk/sk182072 

0 Kudos
Moudar
Advisor
‎2024-06-26 04:46 AM
In response to PhoneBoy

Does that apply on route based VPN ? My encryption domain is an empty group on both gateways!

0 Kudos
the_rock
Legend
Legend
‎2024-06-26 05:16 AM
In response to Moudar

That does work (I had done it many times), though technically only remote side needs to have one.

Andy

0 Kudos
Moudar
Advisor
‎2024-06-26 05:23 AM
In response to the_rock

can you  please elaborate more on that

0 Kudos
the_rock
Legend
Legend
‎2024-06-26 05:25 AM
In response to Moudar

Yes...so, local enc domain, you can just put a corresponding group containing subnets/hosts (whatever needed to be there) and then remote enc domain can be an empty group.

Setting in community if its subnet/hosts combo, or regardless what it is, make sure it says "per gateway"

Andy

0 Kudos
Moudar
Advisor
‎2024-06-26 05:55 AM
In response to the_rock

We are still discussing a star community setup, not a mesh configuration as mentioned in SK182072?

However, the admin guide states that both the central and branch sites should have empty groups to avoid any issues arising from these configurations.

0 Kudos
the_rock
Legend
Legend
‎2024-06-26 06:09 AM
In response to Moudar

Thats right...just to make sure, error you get is still the same? Is it ONLY for one server?

Andy

0 Kudos
Moudar
Advisor
‎2024-06-26 06:23 AM
In response to the_rock

My PC behind the SMB, all its traffic is getting "drop" with that message. I did not test more, I will do it tonight 

0 Kudos
the_rock
Legend
Legend
‎2024-06-26 06:35 AM
In response to Moudar

If enc domains are empty groups, then no reason why it should not work. Do ip r g command for that IP to see what it shows.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-26 04:01 PM
In response to Moudar

Best bet would be to consult with TAC here: https://help.checkpoint.com 

0 Kudos
emmap
Employee
Employee
‎2024-06-25 10:24 AM

Which gateway is generating those logs, and what does your static route on the SMB gateway look like?

0 Kudos
Moudar
Advisor
‎2024-06-25 02:58 PM
In response to emmap

I can see those logs on both gateways:

on SMS

central-log.JPG

on SMB

smb-log.JPG

 

The static route on SMB

add static-route destination 0.0.0.0/1 nexthop gateway ipv4-address 192.168.4.10
add static-route destination 128.0.0.0/1 nexthop gateway ipv4-address 192.168.4.10

and one 0.0.0.0/0 to ISP

192.168.4.10 is the VTI address on central office

On central office there is no static route but 192.168.3.0 is known through OSPF.

OSPF on SMB has it and sends it to the other side

 

 

0 Kudos
the_rock
Legend
Legend
‎2024-06-25 03:52 PM
In response to Moudar

Do ip r g command to that IP to see path its taking, simply to verify its 100% right.

Andy

ie  - > ip r g 8.8.8.8

0 Kudos
emmap
Employee
Employee
‎2024-06-26 08:14 PM
In response to Moudar

Last time I tried this, the next hop of the routes had to be the VPN tunnel (in my case vpnt10) not the IP address of the tunnel peer. 

0 Kudos
the_rock
Legend
Legend
‎2024-06-26 08:21 PM
In response to emmap

In my experience, that makes sense IF you are talking about unnumbered VTIs, if its numbered, then DG ip would be something not used on the other side, but certainly NOT the peer IP

@Moudar Keep in mind this, as its IMPORTANT...if we are talking numbered VTIs, say your side has, I dont know, just as an example, 169.254.0.50 and other side is .51, thats ip you would use as default gateway to their network. However, its its UNNUMBERED vtis, then it goes based off the interface, so say eth0, for example and it would have exact SAME ip address.

Andy

If you need help, let me know. You can also check my post about it below, hope it helps.

 

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

0 Kudos
emmap
Employee
Employee
‎2024-06-26 08:29 PM
In response to the_rock

In my test case it was a numbered VTI and the VTI IPs weren't an option when adding the route. SMB boxes seem to handle this differently to main train. 

0 Kudos
the_rock
Legend
Legend
‎2024-06-27 04:45 AM
In response to emmap

Not sure when it comes to SMB, but you are right, on regular Gaia, its most likely different.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-06-25 10:33 AM

Hey bro,

That message in layman's terms, would indicate that it "sees" that packet as its supposed to be encrypted, rather than be sent in clear. I would double check encryption domain, because if its regular domain based tunnel, it all boils down to how vpn domains are configured, as opposed to route based tunnel, which is slightly different.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events