Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
DekPlent
Contributor
Jump to solution

Site to Site Traffic inbound decrypt but no packets forwarded to destination

I am replacing some aging Checkpoint R71 appliances with 1590 appliances and am testing a very simple IPSEC VPN Site to Site VPN from a linux based StrongSwan user.

According to VPN Tunnels link and tcpdump, the VPN appears established with ESP sequence numbers increasing when I ping from the remote site inbound to the Checkpoint 1590. The traffic however does not leave the Chckpoint 1590 internal interface to the destination host and I cannot figure out why.

 

The log on the checkpoint shows:

 

 

Capture99.JPGCapture11.JPG

and:
 
fw ctl zdebug + all |grep -A 1 "Monitor" | grep "192.168"
 
WAN:i0 (tcpt inbound)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i1 (vpn multik forward in)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i2 (vpn decrypt)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i3 (l2tp inbound)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i4 (Stateless verifications (in))[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i5 (fw multik misc proto forwarding)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i6 (fw early SIP NAT)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i7 (vpn tagging inbound)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i8 (vpn decrypt verify)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:i9 (fw VM inbound )[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:I10 (vpn policy inbound)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:I11 (vpn before offload)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
WAN:I12 (fw offload inbound)[60]:192.168.236.100 -> 10.110.116.20 (TCP) len=60 id=53997;
 
I am really after ideas on how I can further debug this issue please, I have an access rule which allows 192.168.236.100 any TCP port to 10.110.116.20
 
Anyhelp hints or pointers would be greatly appreciated
 
Regards

Dek
 
0 Kudos
6 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events