This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
vanhieuptit4
Explorer
‎2025-05-17 11:47 PM
Jump to solution

Why is my BGP (TCP 179) traffic getting blocked by Check Point when set up vpn to AWS

Hi all,

I’ve successfully established a VTI-based VPN tunnel between my Check Point firewall and AWS. Phase1 up, phase2 down beacause  rule block for connect ip 169.254.x.11 (AWS point) --> 169.254.x.10 (Onprem point) service bgp tcp/179. I’m seeing logs that say:

"According to the policy the packet should not have been decrypted" 

I have already:

  • Set VPN domains to 0.0.0.0/0 (Empty Group) on both ends.

  • Enabled "VPN Directional Match in VPN Column" and configured the VPN column accordingly. "Choose "Add" to add directional match rules as follows:
    a. internal_clear --> vpn-02f8b875e8179c57b
    b. vpn-02f8b875e8179c57b --> vpn-02f8b875e8179c57b
    c. vpn-02f8b875e8179c57b --> internal_clear"

  • Created rules to allow communication between AWS and on-prem subnets.

Still, the traffic for BGP (port 179) seems to get blocked — and the log shows it's being dropped on the external interface (eth0), not on the VTI interface (vpnt1). I suspect the stealth rule might be affecting this traffic.

Thanks in advance for any help!

0 Kudos
1 Solution

Accepted Solutions
emmap
Employee
Employee
‎2025-05-19 08:22 PM
Jump to solution

I believe 'should not have been decrypted' means that it came in encrypted, the gateway decrypted it to see what was inside, then thinks 'hey this should have been sent in the clear'. BGP in this case should be encrypted, so don't exclude it from the tunnel.

Have you checked this: https://support.checkpoint.com/results/sk/sk106627

View solution in original post

9 Replies
_Val_
Admin
Admin
‎2025-05-19 12:25 AM
Jump to solution

According to your VPN settings, all traffic between the GWs should be encrypted, yet BGP is sent in clear text. You may want to tackle this by excluding BGP form the VPN and reinstalling policy

vanhieuptit4
Explorer
‎2025-05-19 02:45 PM
In response to _Val_
Jump to solution

Hi,

Thanks for the suggestions. I’ve followed the recommendation to exclude BGP (TCP 179) from the VPN community and reinstalled policy, but I still see the same log:

"According to the policy the packet should not have been decrypted"

The traffic is still being dropped,

I added TCP 179 (BGP) under “Excluded Services” in the VPN community and pushed policy.

I allowd bgp in policy rule.

I see traffic BGP going out interface vpnt1, but traffic arrive to interface eth0, 

0 Kudos
the_rock
Legend
Legend
‎2025-05-19 05:15 PM
In response to vanhieuptit4
Jump to solution

K, one sec...now that I think about it, seems as if BGP range should be in vpn domain, since it should be encrypted, according to the message. 

Technically, CP domain does not need to be empty group, only AWS one.

Maybe change that and test.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-05-19 01:24 PM
Jump to solution

Apart from great point @_Val_  made, which tells you that packet should have been encrypted, you can also try zdebug and see if same failure occurs.

Andy

0 Kudos
the_rock
Legend
Legend
‎2025-05-19 05:31 PM
Jump to solution

Also, if you think stealth rule might be the culprit, just try disable it temporarily and test. FWIW, I always found BGP works way better when using unnumbered VTIs.

Andy

0 Kudos
emmap
Employee
Employee
‎2025-05-19 08:22 PM
Jump to solution

I believe 'should not have been decrypted' means that it came in encrypted, the gateway decrypted it to see what was inside, then thinks 'hey this should have been sent in the clear'. BGP in this case should be encrypted, so don't exclude it from the tunnel.

Have you checked this: https://support.checkpoint.com/results/sk/sk106627

the_rock
Legend
Legend
‎2025-05-19 08:25 PM
In response to emmap
Jump to solution

That was my thinking as well.

0 Kudos
vanhieuptit4
Explorer
‎2025-05-20 12:29 AM
In response to emmap
Jump to solution

Yes, It's work when set vpnt1 to peer name

Thanks for solution

the_rock
Legend
Legend
‎2025-05-20 05:06 AM
In response to vanhieuptit4
Jump to solution

I assumed you had that already. Glad you got it now!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events