This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pradeep_Salunke
Explorer
‎2023-01-05 08:59 AM

IPSEC tunnel issue

Created the IPsec site to site tunnel. however it was showing as down. 

Checked traffic with peer ip address traffic however IKE traffic was dropped. Allowed the same now showing accepted. Still 4500 traffic was dropped.

logs below 

AK 0: Get before set operation succeeded of simple_debug_filter_off
[Expert@bu2-fw-01:0]# fw ctl zdebug + drop | grep 154.52.35.150
@;2332418538;[cpu_11];[fw4_0];fw_log_drop_ex: Packet proto=17 154.52.35.150:4500 -> 193.53.133.17:4500 dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;
@;2332434814;[cpu_11];[fw4_0];fw_log_drop_ex: Packet proto=17 154.52.35.150:4500 -> 193.53.133.17:4500 dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;
@;2332469207;[cpu_11];[fw4_0];fw_log_drop_ex: Packet proto=17 154.52.35.150:4500 -> 193.53.133.17:4500 dropped by vpn_drop_and_log Reason: Clear text packet should be encrypted;

 

Please help for this

0 Kudos
10 Replies
Blason_R
MVP Gold
MVP Gold
‎2023-01-05 06:14 PM

Check Your encryption domains. Looks like the subnets are not added in encryption domains or some thing wrong with those. But worth a check at encryption domains.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-01-05 08:12 PM

I agree with @Blason_R . That error means enc domain issue 9 times out of 10, so phase 2 problem. But, to be 100% sure, just do basic vpn debug:

vpn debug trunc

vpn debug ikeon

-generate some traffic

vpn debug ikeoff

Get ike.elg and vpnd* files from $FWDIR/log dir and examine ike.elg to confirm the failure point (use ikeview tool to open it, but notepad++ will do as well).

Andy

Best,
Andy
0 Kudos
Nishant12
Explorer
‎2023-01-05 08:29 PM

There could be two possibility for that.

1 4500 port is not in the exclude services in the vpn community 

2 Either of one or both IP is part of the encryption domain, and these IP looks like the IP used to make the tunnel up so this should not be part of encryption domain.

0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2023-01-06 12:43 AM
In response to Nishant12

No Need to exclude 4500 and 4500 can never be a part of encryption settings as per RFC. UDP/4500 is a NAT-T port and will not be part of encrypted traffic. 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Nishant12
Explorer
‎2023-01-06 12:50 AM
In response to Blason_R

In past I faced the same issue when i excluded the 4500 it started working i am not sure why checkpoint is not considering this as exclude only 

0 Kudos
Pradeep_Salunke
Explorer
‎2023-01-06 02:48 AM
In response to Nishant12

@Nishant12 , how you excluded the 4500 port?

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2023-01-06 03:19 AM
In response to Pradeep_Salunke

Hi @Pradeep_Salunke,

 

Can you share more info about the gw's that are doing vpn? Is the peer is behind NAT? Is the topology of the peer configured correctly aka, external and internal configured correctly?

 

The exclusions is needed only in case you disabled implied rules, otherwise no need an exclusion.

 

Thanks,

Ilya

Blason_R
MVP Gold
MVP Gold
‎2023-01-06 03:21 AM
In response to Ilya_Yusupov

This is correct - There is no need to exclude the port and @Ilya_Yusupov is 100% correct. 4500 port will never be encrypted since its carrying the NAT data

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Nishant12
Explorer
‎2023-01-06 04:17 AM
In response to Ilya_Yusupov

It was working without exclusion but after the upgrade of HFA 156 in R80.40 stopped working not sure why but CP support also agree to exclude when we ask them as i am also agree it should not exclude 

0 Kudos
Ilya_Yusupov
Employee
Employee
‎2023-01-06 04:36 AM
In response to Nishant12

@Pradeep_Salunke from which jhf the upgrade was done?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events