Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
NilsKS
Contributor
Jump to solution

VPN problems - Clear text packet should be encrypted

Hi,

Check Point R81.10 appliance. Cisco ASA 5506 peer.

I am trying to get IPSec policy-based VPN up and running on a field installation.The VPN connection was working fine for several years, until the remote end changed to Oneweb satellite provider and our Cisco ASA was moved from a public IP to a 192.168 private address on their network. T

When trying to establish the VPN connection, I get a 'Clear text packet should be encrypted' from their Oneweb gateway IP in our firewall for UDP/4500, and the packet is dropped.

I have configured user.def & crypt.def on our management server according to https://support.checkpoint.com/results/sk/sk108600, but this did not help... NAT-T is enabled on out firewall.

The IP address of the remote is x.x.x.0. Could the zero IP-address cause problems with a Check Point firewall?

Best,

Nils

 

0 Kudos
1 Solution

Accepted Solutions
NilsKS
Contributor

Found the solution!

UDP4500 IKE_NAT_TRAVERSAL had to be added to 'Excluded Services' for the VPN community...

NilsKS_0-1700205315371.png

 

A big thanks to all that took time to help!!

Best,

Nils

 

View solution in original post

0 Kudos
21 Replies
Bob_Zimmerman
Authority
Authority

That message means the firewall received a packet from a source address in some peer's encryption domain to a destination address in its own encryption domain. You need to figure out which address shouldn't be in which encryption domain and remove it.

0 Kudos
NilsKS
Contributor

The encryption domains is as they were when we had a public IP on the ASA and a operational VPN.

Double checked and the encryption domains are OK and configured like all the other VPN field connections we have.

Best,

Nils

0 Kudos
Bob_Zimmerman
Authority
Authority

That message is always an encryption domain issue.

What is the interoperable device's IPSec VPN > Link Selection set to?

0 Kudos
the_rock
Legend
Legend

You are 100% correct, but maybe not so obvious on their end until someone does the remote session to verify. @NilsKS , did you work with TAC as of yet or no?

Regards,

Andy

0 Kudos
NilsKS
Contributor

No, I have not worked with TAC. I have contacted our Check Point vendor, but they have not come up with a solution.

Best,

Nils

0 Kudos
NilsKS
Contributor

Hi,

Link Selection: Always use this IP address: Main address.

Best,

 

Nils

 

0 Kudos
Bob_Zimmerman
Authority
Authority

And which one is the main IP address?

You should probably use the private address as the main IP address on the object, set Link Selection to use a statically NATed address, and specify the public address there.

0 Kudos
NilsKS
Contributor

IP for ASA external interface is 192.168.200.10.
I have tried to set this as the IP for the interoperable object and configured the IP on the modem via Link Selection > Always use this IP address > Statically NATed IP, but this did not work. I do not see any traffic from either of these IP-addresses in the logs.

 

Best,

Nils

0 Kudos
the_rock
Legend
Legend

What do they see on Cisco side? Here is simple debug guy I used to work with few years ago gave me (he worked for Cisco TAC in India)

Regards,

Andy

 

debug vpn:

debug crypto condition peer x.x.x.x

debug crypto ikev1 200 (or v2, whichever is used)

debug crypto ipsec 200

to cancel all debugs-> undebug all

0 Kudos
NilsKS
Contributor

Hi,

Finally got access to the ASA again...

Output from debug commands that produced output attached.

Best,

Nils

0 Kudos
the_rock
Legend
Legend

If I remember right, crypto map on Cisco refers to phase 2 and debug shows it all matching, so logically, seems like something on CP is no "agreeing" with Cisco side.

Can you verify 100% that vpn domain on CP side indeed includes eveything thats supposed to go through the tunnel? I mean, everything needed behind the CP firewall.

Andy

0 Kudos
NilsKS
Contributor

Hi!

Thanks for still being in the loop on this one! Much appreciated!

The VPN domain for the center gateway (Check Point) is the same as for our 10+ other VPN installations using Cisco ASA. It contains all the networks defined on the enc. domain on the ASA.

The VPN domain for the satellite gateway (the ASA) is the internal 172.22.154.128/27 network on the ASA.

I am not able to find any anomalies with this.

Best,

Nils

0 Kudos
NilsKS
Contributor

Found the solution!

UDP4500 IKE_NAT_TRAVERSAL had to be added to 'Excluded Services' for the VPN community...

NilsKS_0-1700205315371.png

 

A big thanks to all that took time to help!!

Best,

Nils

 

0 Kudos
the_rock
Legend
Legend

Glad its fixed, but I find it odd that was the solution. I had never seen a scenario where that needed to be done.

VikingsFan
Collaborator

Older thread but just recently ran into this.  I'm curious but by chance do you have Implied rules disabled on your gateway?  We have implied rules disabled and found that by default, implied rules are not encrypted but since we don't have them on we had to manually add to the Excluded Services like you did.

0 Kudos
the_rock
Legend
Legend

I see what Bob is saying, as that message would always imply an issue with enc. domain, since it specifically means that packet that came in clear should have been encrypted, meaning go through the VPN tunnel.

If you do fw monitor for that IP, what do you see? If last insp. point (O) shows, that means its NOT being encrypted.

Also, just on a side note, if natting through VPN is taking place, ensure that nat is enabled inside VPM community (advanced tab I believe)

Cheers,

Andy

0 Kudos
NilsKS
Contributor

Hi,

 

NAT is enabled within the community.

 

ONEWEB=ISP PUBLIC IP
CHECKPOINT=CHECK POINT PUBLIC IP


# fw monitor -F "$ONEWEB,0,$CHECKPOINT,0,0" -F "$CHECKPOINT,0,$ONEWEB,0,0"
...
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=39737
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=39752
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=19902
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=19902
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:id[44]: ONEWEB -> CHECKPOINT (UDP) len=124 id=27692
UDP: 4500 -> 4500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=124 id=27692
UDP: 4500 -> 4500
create_one_data: no packets left to merge, but 84 bytes left in buffer!
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=39772
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:id[44]: ONEWEB -> CHECKPOINT (UDP) len=124 id=7485
UDP: 4500 -> 4500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=124 id=7485
UDP: 4500 -> 4500
create_one_data: no packets left to merge, but 168 bytes left in buffer!
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=41057
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=41066
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=28322
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=28322
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:id[44]: ONEWEB -> CHECKPOINT (UDP) len=124 id=2851
UDP: 4500 -> 4500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=124 id=2851
UDP: 4500 -> 4500
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=42857
UDP: 500 -> 500
create_one_data: no packets left to merge, but 84 bytes left in buffer!
[vs_0][ppak_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=21689
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=21689
UDP: 500 -> 500
create_one_data: no packets left to merge, but 168 bytes left in buffer!
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=44621
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=44628
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=31060
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=31060
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=13765
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=13765
UDP: 500 -> 500
create_one_data: no packets left to merge, but 420 bytes left in buffer!
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=45293
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=45301
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=6269
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=6269
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=352 id=17475
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=352 id=17475
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=156 id=45323
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=23191
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=23191
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=332 id=8697
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=332 id=8697
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=45443
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:id[44]: ONEWEB -> CHECKPOINT (UDP) len=124 id=6628
UDP: 4500 -> 4500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=124 id=6628
UDP: 4500 -> 4500
create_one_data: no packets left to merge, but 84 bytes left in buffer!
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=46179
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:id[44]: ONEWEB -> CHECKPOINT (UDP) len=124 id=12098
UDP: 4500 -> 4500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=124 id=12098
UDP: 4500 -> 4500
create_one_data: no packets left to merge, but 84 bytes left in buffer!
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=46199
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=13925
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=13925
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=46209
UDP: 500 -> 500
create_one_data: no packets left to merge, but 84 bytes left in buffer!
[vs_0][ppak_0] bond0.901:id[44]: ONEWEB -> CHECKPOINT (UDP) len=124 id=13308
UDP: 4500 -> 4500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=124 id=13308
UDP: 4500 -> 4500
create_one_data: no packets left to merge, but 84 bytes left in buffer!
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=47113
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:id[44]: ONEWEB -> CHECKPOINT (UDP) len=124 id=6325
UDP: 4500 -> 4500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=124 id=6325
UDP: 4500 -> 4500
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=47764
UDP: 500 -> 500
create_one_data: no packets left to merge, but 84 bytes left in buffer!
[vs_0][ppak_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=8267
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=8267
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=48022
UDP: 500 -> 500
create_one_data: no packets left to merge, but 84 bytes left in buffer!
[vs_0][ppak_0] bond0.901:id[44]: ONEWEB -> CHECKPOINT (UDP) len=124 id=18576
UDP: 4500 -> 4500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=124 id=18576
UDP: 4500 -> 4500
create_one_data: no packets left to merge, but 84 bytes left in buffer!
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=48962
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=10778
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=10778
UDP: 500 -> 500
create_one_data: no packets left to merge, but 84 bytes left in buffer!
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=50122
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=3817
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=3817
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=50275
UDP: 500 -> 500
create_one_data: no packets left to merge, but 252 bytes left in buffer!
[vs_0][ppak_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=19307
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=96 id=19307
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=352 id=24226
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=352 id=24226
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=156 id=50371
UDP: 500 -> 500
[vs_0][ppak_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=332 id=31644
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:i[44]: ONEWEB -> CHECKPOINT (UDP) len=332 id=31644
UDP: 500 -> 500
[vs_0][fw_0] bond0.901:O[44]: CHECKPOINT -> ONEWEB (UDP) len=260 id=50382
UDP: 500 -> 500
^C monitor: caught sig 2

Thanks!

 

Best,

 

Nils

 

0 Kudos
_Val_
Admin
Admin

The filtering is wrong. You are looking to GW to GW IKE/IPsec traffic with this filter. In fact, you want to see the traffic which is cleartext while should be encrypted. Use the IP address from the drop VPN log to filter

 

0 Kudos
NilsKS
Contributor

Hi,

 

This is the traffic being blocked...

 

 

Id: 0affff37-b5bb-e31d-6553-31c035650000
Marker: @A@@B@1699916401@C@8872156
Log Server Origin: x.x.x.x
Time: 2023-11-14T08:37:20Z
Interface Direction: inbound
Interface Name: bond0.901
Id Generated By Indexer:false
First: true
Sequencenum: 16
Log ID: 404822
Source: ONEWEB
Source Port: 4500
Destination: CHECKPOINT
Destination Port: 4500
IP Protocol: 17
Scheme: NA
Methods: ESP: AES-256 + SHA256
Encryption Failure: Clear text packet should be encrypted
VPN Feature: VPN
Action: Drop
Type: Connection
Policy Name: xxx
Policy Management: yyy
Db Tag: {9229EFFB-8C2B-F84A-B1B0-FAF838AF6345}
Policy Date: 2023-11-14T06:58:28Z
Blade: VPN
Origin: CHECKPOINT
Service: UDP/4500
Product Family: Access
Logid: 1
Interface: bond0.901
Description:

0 Kudos
the_rock
Legend
Legend

What does it show in vpnd.elg when you filter for peer's external IP?

Andy

0 Kudos
NilsKS
Contributor

On the firewall module:

grep $ONEWEBIP $FWDIR/log/vpnd.elg*

Nothing...

Best,

Nils

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events