This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ricardo_Gros
Collaborator
‎2018-12-14 05:39 AM

Remote VPN access to network behind 3rd party Gateway

Hi, 

I have come upon this issue where a customer is trying to access a Network scope behind a tunnel that is terminating on a 3rd party device. 

So the topology is the following

Client VPN client with remote office IP 10.1.1.2 want´s to reach Server Behind Tunnel Terminating on 3rd party firewall with IP 192.168.2.2   

Checkpoint has route for 192.168.2.0/24 -> 3rd party device 

3rd Party device has route to 10.1.1.0/24 -> checkpoint

Network 192.168.2.0/24 is part of Enc Domain of Checkpoint for Remote VPN 

Problem is when the client tries to reach network packet is forwarded to server, return packet however is blocked by checkpoint with following error: 

Dropped by vpn_verify, reason : Clear packet on encrypted connection; 

I don´t understand the drop because the packet should be Clear text and only be encrypted by the checkpoint and decrypted by the client, I don´t see the difference between this and any other network access, I wondering if It has to do with the Topology since this network is not directly connected, however there is a route so it should be "known" in terms of topology.

After this I tried adding the Remote Office Pool to the Enc. Domain of the Gateway, however this simply changed the error output to:


No Decryption Message 

I think the second error is because now the Gateway thinks it needs to Decrypt and it´s clear text or something.. 



8 Replies
PhoneBoy
Admin
Admin
‎2018-12-14 06:30 AM

A visual network diagram would be helpful.

0 Kudos
Ricardo_Gros
Collaborator
‎2018-12-14 06:55 AM
In response to PhoneBoy

Traffic is initiated on Remote VPN side: 


I can see in FW monitor the traffic being send to destination network and I can also see on 3rd party the traffic being send to server. 

The return traffic hits the 3rd party device and get´s blocked on checkpoint side with described errors. 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-14 08:31 AM
In response to Ricardo_Gros

Sounds like the remote end is not encrypting the reply traffic for some reason.

Can you confirm it is received cleartext on the Check Point?

0 Kudos
Ricardo_Gros
Collaborator
‎2018-12-14 08:36 AM
In response to PhoneBoy

It should not encrypt the reply, the reply is decrypted on 3rd party firewall correctly, send as clear text to Checkpoint and should then be encrypted to be sent to the Remote VPN tunnel. 

The original packet is Encrypted on Client Side, decrypted on Checkpoint side and send as Clear text to 3rd party device, then encrypted and send to server (server sits behind some other device this I don´t know). 

There is a tunnel Between 3rd Party and some other gateway and destination network is behind this. 

So the traffic flow between Checkpoint and 3rd party is always unencrypted. 

PhoneBoy
Admin
Admin
‎2018-12-14 10:50 AM
In response to Ricardo_Gros

Have you done any of the steps in this SK?

Troubleshooting "Clear text packet should be encrypted" error in ClusterXL 

0 Kudos
Ricardo_Gros
Collaborator
‎2018-12-17 12:04 AM
In response to PhoneBoy

Hi, 

Do you have any specific section in mind by referring this?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-12-17 06:02 AM
In response to Ricardo_Gros

Yeah, now that I look at it a bit more closely, probably not Smiley Happy

Do you have a TAC case on this?

0 Kudos
Shahar_Grober
Advisor
‎2019-02-14 10:46 PM

Hi Ricardo, 

do you know if this scenario is supported or working, 

I need to do something similar but I am not sure it is supported.

I want to know if you approached TAC before I start to configure and test it 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events