Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MladenAntesevic
Collaborator
Jump to solution

VPN is UP, but the VPN traffic is sent in clear although the traffic matches all community criteria

Hello all,

I have a strange issue with my S2S VPN between my R80.40 3600 cluster and Cisco ASA device. The tunnels is established and I see encrypted traffic coming from remote end, but the traffic sent in opposite way from the CheckPoint to ASA is sent as a clear text. I am positive that my traffic matches all community criteria.

I am doing Manual hide NAT for outgoing traffic from CheckPoint to ASA. Here are the details about relevant networks:

My office LAN networks are source NATed to 172.21.230.5 (hide NAT)

Remote subnets are 192.168.15.25/32 192.168.15.26/32 an 192.168.1.34/32

When I try ping or telnet to remote end 192.168.15.25, the traffic is going out as unencrypted on my external interface.

 

 

[Expert@CP-2:0]# vpn tu tlist

+-----------------------------------------+-----------------------+---------------------+
| Peer: x.x.x.x - VPN_FZO_GW | MSA: 7fe3df728cd8 | i: 1 ref: 1 |
| Methods: ESP Tunnel PFS AES-256 SHA1 g..| | i: 2 ref: 2 |
| My TS: 172.21.230.0/28 | | |
| Peer TS: 192.168.15.25 | | |
| MSPI: 100001e (i: 2, p: 0) | Out SPI: 73a8ce4f | |
| Tunnel created: Dec 18 16:11:31 | | |
| Tunnel expiration: Dec 19 00:11:31 | | |
+-----------------------------------------+-----------------------+---------------------+

(2) Site-to-Site tunnels are up:
IPSEC 2
NAT-T 0

(0) Clients Are Connected:
NAT-T 0
Visitor Mode 0
SSL 0
L2TP 0

 

0 Kudos
1 Solution

Accepted Solutions
Marcel_Gramalla
Advisor

If you do a NAT on your internal network for the VPN you have to include the original source in the encryption domain as well.

View solution in original post

3 Replies
G_W_Albrecht
Legend Legend
Legend

Looks like it is treated internal traffic on screenshot ! Which rule is matched and how is the encryption domain defined ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Marcel_Gramalla
Advisor

If you do a NAT on your internal network for the VPN you have to include the original source in the encryption domain as well.

MladenAntesevic
Collaborator

Thanks guys,

I just have included my original sources in the encryption domain for the VPN and the traffic is now correctly encrypted. Thanks for your help.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events