Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dphonovation
Collaborator
Jump to solution

Creating VPN community w/ private IPs in Enc Domain breaks ICMP?

I have a weird outtage today where somehow the licensing on my cluster got all out of whack. I've fixed it and cluster is now all green.

However what I now notice is that ICMP to a Remote Office is broken as soon as I have a community setup on the CP side.

 

Checkpoint Public IP: x.x.x.x

Checkpoint VPN Encryption Domain: 10.10.171.0/24

Remote peer Public IP: z.z.z.z

Remote Peer Encryption Domain: 192.168.1.0/24 and 192.168.11.0/24

 

As soon as I configure this community (star or mesh), z.z.z.z can no longer ping x.x.x.x

 

Checkpoint logs report "Clear text packet should be encrypted".

 

I went as far as blowing out all the VPN communities, disabling IPSEC VPN. Pushing policy. Then reenabling and readding the community. I'm rather confused, as I know for a fact before this used to be fine.

 

On top of this, Checkpoint Mobile stopped working entirely.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

"Clear text packet should be encrypted" means a packet was received that was not encrypted that, by policy, should be.
That points to a configuration error.

sk108600 Scenario 3 is the main issue here (the fact the gateway IPs are always included in the encryption domain).
The fact you're getting this error in the remote to local direction implies the remote VPN peer is managed by a third party and is most likely a third party device.
To resolve this, you will need to have the remote end change the configuration to include their peer IP as part of their encryption domain OR apply the fix described in sk108600.
If both ends of the VPN are gateways managed by the same management and you're experiencing this, it might be worth a TAC case. 

The Check Point Mobile issue is something completely different, most likely.
Please start a new thread related to this issue with appropriate details about this issue (error messages, exact version/JHF used, etc).

View solution in original post

5 Replies
Chris_Atkinson
Employee Employee
Employee

sk108600 - scenario 3?

Did this work on a previous version or the same?

CCSM R77/R80/ELITE
0 Kudos
dphonovation
Collaborator

The same gateways and versions didn't change and that is whats confusing.

I've certainly never modified the file in that sk for scenario 3 before.

0 Kudos
PhoneBoy
Admin
Admin

"Clear text packet should be encrypted" means a packet was received that was not encrypted that, by policy, should be.
That points to a configuration error.

sk108600 Scenario 3 is the main issue here (the fact the gateway IPs are always included in the encryption domain).
The fact you're getting this error in the remote to local direction implies the remote VPN peer is managed by a third party and is most likely a third party device.
To resolve this, you will need to have the remote end change the configuration to include their peer IP as part of their encryption domain OR apply the fix described in sk108600.
If both ends of the VPN are gateways managed by the same management and you're experiencing this, it might be worth a TAC case. 

The Check Point Mobile issue is something completely different, most likely.
Please start a new thread related to this issue with appropriate details about this issue (error messages, exact version/JHF used, etc).

dphonovation
Collaborator

Thanks. I will try adding the peer IP.

0 Kudos
dphonovation
Collaborator

That worked. Thank you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events