This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
IanS94
Participant
‎2020-07-05 03:52 AM

Double encryption - hosts in spoke networks want to form IPSec over our route based VTIs

Hi all,

We have multiple spoke networks connected over IPSec VPN (numbered VTI, Route based VPN), with BGP.

These have been configured with an empty encryption domain and work seamlessly for all traffic types with wire mode or without.. except for IPSec over the top of our VPN tunnels which doesn’t work in either wire or firewall configuration. With wire mode off, the logs show it’s hitting our allow rule, but the log is saying “Drop” and “Failed to enforce VPN policy (11)”

A customer has a hard requirement to form IPSec encryption from their host, from within their network, to a host in another network we also VPN with. MTUs are set correctly and this worked previously inside tunnels from Palo Alto firewalls natively, without any issues or extra configuration

It seems likely the empty encryption domain is causing some fuss

Is there guidance available around why IPSec within our VPN is any different to say, TLS within our VPN, and more importantly, is it possible to allow this type of traffic to flow over our firewalls, without losing key requirements we have (BGP route based vpn)

Kind Regards,

Ian

4 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events