Are you referring to this location?  The server that we're having issues with is NOT in the group that's under the VPN Domain section.  My idea was to clone this group and add the server to it and test.  Just wanted to run the idea by first if that seems to be the issue.

Thanks Bob.  Sounds like my thinking of adding the server IP to my CheckPoint encryption domain is the way to go.  Just to confirm:

1. There's no issue having multiple groups to be used as encryption domains?  Our JAMF can have it's own group and the remaining VPN communities can have our default?

2. Does it matter if I use the NAT or real IP?  Same result?

1) Thats right, no issue there.

2) Just to be on the safe side, if there is NAT involved, I would include both real IP and natted one into enc domain and make sure below is NOT checked within VPN community

Andy

Hmmm.  we DO have the disable NAT checked.  I assumed that we would want that checked as we don't want the remote IP subnet hiding behind the firewall IP.  For example, if the JAMF mobile subnet is 10.250.250.0/24 and our local network is 192.168.0.0/16, we don't want their IPs hiding when we get logs, etc.  Unless I'm misunderstanding the use of that checkbox.

Thanks!

Ok, so with that option checked, it simply means you would NOT be doing any natting inside community itself.

Andy

Thank you.  We chose the subnet on the other side so it doesn't conflict with any subnet on our side and traffic would route like any other IP subnet on our network.  We also wanted to be able to build rules against the 10.250.250.0/24 network and see the IPs hitting internal servers without being behind a NAT.  Hopefully that makes sense and is what we're accomplishing.

So, as @Bob_Zimmerman said, if you think about it, error you are getting "packet should NOT have been decrypted", what its really telling you is that packet SHOULD have been encrypted. That, without any doubt, ALWAYS points to quick mode negotiation, phase 2.

So, here is what I would quickly do on CP firewall and dont worry, this does not pose any cpu/memory problems, its very light debug.

By the way, what @PhoneBoy asked is JAMF enc domain, as it refers to remote server, local vpn subnets go in your cp gateway's enc domain, remote jamf ones go into their enc domain...makes sense?

Now, onto debugs.

From expert mode ->

vpn debug trunc

vpn debug ikeon

-generate some traffic for 1-2 mins

vpn debug ikeoff

Get ike.elg and vpnd.elg files from $FWDIR/log dir

examine and look for the IP you tested

Just to be sure, turn off debugs completely

fw ctl debug -x

fw ctl debug 0

Hope that helps and plese attach both files and IP you tested, can also have a look. Im jumping on a call with a colleague soon for Palo Alto, but can check regardless.

Cheers,

Andy

Good job!

Just remember CP fw enc domain should contain ONLY local subnets/hosts behind your fw and remote side would contain their subnets/hosts, thats it.

Andy

Thanks Andy.  The JAMF side seems a little different but for their encryption domain you pick the /24 subnet that you want to run with and then they have a 'customer side' section of the tunnel and they say to just leave it at 0.0.0.0/0 and then locking it down with rules.  Sounds like what you described.

For the encryption domain, in this example JAMF, would you typically just have ALL local subnets that the firewall is connected to or only include the subnets/servers that you know the JAMF users would be connecting to.  Not sure what would be considered best practice.

It depends on other VPN sites, but typically you just include local ones that users would connect to. You can change it here.

Andy

Thank you.  Yep, that's exactly where I changed the new JAMF VPN Community.  Prior to this, there was just one generic encryption group being used.  I now have the generic still tied to all other VPN communities and then a new group just for JAMF.  It is just a clone of the generic one + the new server I was having issues with but I was thinking of pruning it down to just the handful of subnets that the users would talk to since currently there are 40-50 subnets in the list.

Thanks again.

Again, you do NOT change remote sites enc domain here, ONLY local CP enc domain, depending on the remote community. Here, just to give you an example. Say you have 6 vpn tunnels, 2 with Cisco and 2 with Palo Alto and ok, say 2 with Fortigate, lets not leave out all major vendors : - )

So with Cisco, you ONLY want to advertise 10.10.10.0/24, with PAN 192.168.0.0/16 and with Fortigate 192.168.50.0.24, that should be reflected with proper groups in that screenshot I sent.

Makes sense?

For remote side, you define it below (in interoperable object settings) and thats ONLY local to other side, NOT Check Point

Andy

Pretty sure we're on the same page. 🙂  See screenshots below of the current setup.  I have the new group for the local encryption domain. and the remote side is the JAMF_IPSEC_NET which is a /24 of our choosing on the JAMF side.

Showing the new local group for the vpn domain which has all the local FW subnets and problem server I couldn't connect to. On the bottom is the JAMF side and the /24 we created on the webpage in JAMF.Shows the JAMF IP endpoint and the /24 we created.On the JAMF side we pick the subnet we want for the local network. Remote side is 0.0.0.0/0

Ok, maybe name Jamf_encryption_domain confused me lol. Just to make sure, even though thats the name, thats your LOCAL subnet(s) behind CP firewall?

Andy

Possibly a misuse of our naming but the old group that was used for the cluster for the VPN Domain was called ENCRYPTION_GRP so I continued the name.

The 'JAMF_ENCRYPTION_DOMAIN' includes most of our internal subnets and servers but was missing the subnet of the server I was trying to reach initially and the reason for the initial post.  So I didn't mess with any production items, I copied the cluster VPN Domain group and made it the JAMF_ENCRYPTION_GRP and just added an additional two IPs (the real and NAT) of the server I was having issues with.

Alright...NOW we are on the same page : - )

Cheers,

Andy