This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MladenAntesevic
Collaborator
‎2020-12-18 07:33 AM
Jump to solution

VPN is UP, but the VPN traffic is sent in clear although the traffic matches all community criteria

Hello all,

I have a strange issue with my S2S VPN between my R80.40 3600 cluster and Cisco ASA device. The tunnels is established and I see encrypted traffic coming from remote end, but the traffic sent in opposite way from the CheckPoint to ASA is sent as a clear text. I am positive that my traffic matches all community criteria.

I am doing Manual hide NAT for outgoing traffic from CheckPoint to ASA. Here are the details about relevant networks:

My office LAN networks are source NATed to 172.21.230.5 (hide NAT)

Remote subnets are 192.168.15.25/32 192.168.15.26/32 an 192.168.1.34/32

When I try ping or telnet to remote end 192.168.15.25, the traffic is going out as unencrypted on my external interface.

 

 

[Expert@CP-2:0]# vpn tu tlist

+-----------------------------------------+-----------------------+---------------------+
| Peer: x.x.x.x - VPN_FZO_GW | MSA: 7fe3df728cd8 | i: 1 ref: 1 |
| Methods: ESP Tunnel PFS AES-256 SHA1 g..| | i: 2 ref: 2 |
| My TS: 172.21.230.0/28 | | |
| Peer TS: 192.168.15.25 | | |
| MSPI: 100001e (i: 2, p: 0) | Out SPI: 73a8ce4f | |
| Tunnel created: Dec 18 16:11:31 | | |
| Tunnel expiration: Dec 19 00:11:31 | | |
+-----------------------------------------+-----------------------+---------------------+

(2) Site-to-Site tunnels are up:
IPSEC 2
NAT-T 0

(0) Clients Are Connected:
NAT-T 0
Visitor Mode 0
SSL 0
L2TP 0

 

Preview file
139 KB
0 Kudos
1 Solution

Accepted Solutions
Marcel_Gramalla
Advisor
‎2020-12-18 09:13 AM
In response to G_W_Albrecht
Jump to solution

If you do a NAT on your internal network for the VPN you have to include the original source in the encryption domain as well.

View solution in original post

3 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2020-12-18 07:51 AM
Jump to solution

Looks like it is treated internal traffic on screenshot ! Which rule is matched and how is the encryption domain defined ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Marcel_Gramalla
Advisor
‎2020-12-18 09:13 AM
In response to G_W_Albrecht
Jump to solution

If you do a NAT on your internal network for the VPN you have to include the original source in the encryption domain as well.

MladenAntesevic
Collaborator
‎2020-12-19 01:20 AM
Jump to solution

Thanks guys,

I just have included my original sources in the encryption domain for the VPN and the traffic is now correctly encrypted. Thanks for your help.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events