- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Traffic from Gateway to Internet dropped (clea...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Traffic from Gateway to Internet dropped (clear text packet should be encrypted)
Hi,
Customer has a VTI VPN between office Check Point and Data Centre Check Point and there is connectivity between the 2 sites.
Internet access is via DC Check Point.
Traffic from office Check Point (e.g. DNS to 8.8.8.8) is dropped on DC Check Point due to "clear text packet should be encrypted".
I can't see why the DC gateway expects this to be encrypted - no overlapping encryption domains, etc.
As expected the tunnel test traffic is encrypted/decrypted between the 2.
Any ideas?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I applied sk25675 (NON_VPN_Traffic rules), added the peer IP and it resolved the issue.
Clear-text connections from the peer to the Internet were allowed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We need some more information including:
- Version/JHF of gateways
- Encryption Domain configuration on both sites
The Office gateway didn't think it needed to encrypt the traffic to the remote gateway.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Office: SMB 1600 R81.10
Main DC: R81.10 JHF take 55
Both gateways have an empty group as the encryption domain as the VPN is route based.
Its correct that the office SMB doesn't encrypt as this traffic is not routed down the VPN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You said in your original post that all traffic from the office site is routed over VPN to the DC site.
That would imply all traffic to the Internet would be routed to the DC site, including DNS lookups.
Because of the empty encryption domain, it seems reasonable for the DC gateway to assume everything that comes from the specific remote gateway SHOULD be encrypted.
Thus, the error message.
A simple network diagram might be helpful to understand where traffic is supposed to be going.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, apologies.
I have attached a simple diagram.
Only traffic between office 192.168.3.0/24 and DC 10.1.1.0/24 is routed over the VTI.
Traffic from office 10.0.0.9 to Internet is dropped by DC 10.0.0.12.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @Mark_Edwards ,
I think maybe fw monitor capture would help us here, so we can see if traffic even takes the right path. So lets assume src is 1.1.1.1 and dst is 2.2.2.2 and dst port is 3389, as we dont care about src port, you could do something like below (-o to output to a file)
fw monitor -F "srcip,srcport,dstip,dstport,protocol" -F "srcip,srcport,dstip,dstport,protocol"
fw monitor -F "1.1.1.1,0,2.2.2.2,3389,0" -F "2.2.2.2,0,1.1.1.1,3389,0" -o /var/log/vpncapture.pcap
Once you dump the file in wireshark, you can filter for fw direction -> fw1.direction eq "i"
or whatever inspection point you want to see
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I applied sk25675 (NON_VPN_Traffic rules), added the peer IP and it resolved the issue.
Clear-text connections from the peer to the Internet were allowed.