This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dphonovation
Collaborator
‎2023-01-10 06:38 AM
Jump to solution

Creating VPN community w/ private IPs in Enc Domain breaks ICMP?

I have a weird outtage today where somehow the licensing on my cluster got all out of whack. I've fixed it and cluster is now all green.

However what I now notice is that ICMP to a Remote Office is broken as soon as I have a community setup on the CP side.

 

Checkpoint Public IP: x.x.x.x

Checkpoint VPN Encryption Domain: 10.10.171.0/24

Remote peer Public IP: z.z.z.z

Remote Peer Encryption Domain: 192.168.1.0/24 and 192.168.11.0/24

 

As soon as I configure this community (star or mesh), z.z.z.z can no longer ping x.x.x.x

 

Checkpoint logs report "Clear text packet should be encrypted".

 

I went as far as blowing out all the VPN communities, disabling IPSEC VPN. Pushing policy. Then reenabling and readding the community. I'm rather confused, as I know for a fact before this used to be fine.

 

On top of this, Checkpoint Mobile stopped working entirely.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-01-10 11:06 AM
Jump to solution

"Clear text packet should be encrypted" means a packet was received that was not encrypted that, by policy, should be.
That points to a configuration error.

sk108600 Scenario 3 is the main issue here (the fact the gateway IPs are always included in the encryption domain).
The fact you're getting this error in the remote to local direction implies the remote VPN peer is managed by a third party and is most likely a third party device.
To resolve this, you will need to have the remote end change the configuration to include their peer IP as part of their encryption domain OR apply the fix described in sk108600.
If both ends of the VPN are gateways managed by the same management and you're experiencing this, it might be worth a TAC case. 

The Check Point Mobile issue is something completely different, most likely.
Please start a new thread related to this issue with appropriate details about this issue (error messages, exact version/JHF used, etc).

View solution in original post

5 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-01-10 07:38 AM
Jump to solution

sk108600 - scenario 3?

Did this work on a previous version or the same?

CCSM R77/R80/ELITE
0 Kudos
dphonovation
Collaborator
‎2023-01-10 07:42 AM
In response to Chris_Atkinson
Jump to solution

The same gateways and versions didn't change and that is whats confusing.

I've certainly never modified the file in that sk for scenario 3 before.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-10 11:06 AM
Jump to solution

"Clear text packet should be encrypted" means a packet was received that was not encrypted that, by policy, should be.
That points to a configuration error.

sk108600 Scenario 3 is the main issue here (the fact the gateway IPs are always included in the encryption domain).
The fact you're getting this error in the remote to local direction implies the remote VPN peer is managed by a third party and is most likely a third party device.
To resolve this, you will need to have the remote end change the configuration to include their peer IP as part of their encryption domain OR apply the fix described in sk108600.
If both ends of the VPN are gateways managed by the same management and you're experiencing this, it might be worth a TAC case. 

The Check Point Mobile issue is something completely different, most likely.
Please start a new thread related to this issue with appropriate details about this issue (error messages, exact version/JHF used, etc).

dphonovation
Collaborator
‎2023-01-10 11:09 AM
In response to PhoneBoy
Jump to solution

Thanks. I will try adding the peer IP.

0 Kudos
dphonovation
Collaborator
‎2023-01-10 02:25 PM
In response to PhoneBoy
Jump to solution

That worked. Thank you.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events