This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
johnnyringo
Advisor
‎2020-06-18 04:13 PM
Jump to solution

"Decrypted in community" vs "Traffic Accepted"

I've brought up two site-to-site IPSec VPNs between a Cisco IOS router and two different CheckPoint R80.30 gateway clusters in GCP.   The tunnels are route-based, and both showing up/up on the Cisco end with valid 0.0.0.0/0 SAs generated.  However, while the first VPN is passing traffic just fine, the second is not.  I see the traffic leaving the Cisco going over the tunnel interface but never making it to be server behind the checkpoint.

 

On the working tunnel, the CheckPoint logs show the VPN -> Decrypt with "Decrypted in community" and the name of the VPN community in the message.  

On the non-working tunnel, CheckPoint logs show Firewall -> Accept.  Almost as if the traffic never went through a VPN.

 

I've double-checked settings both on the Gateway and also the VPN Communities - they look the same.  I've also verified VPN domains on the gateways and they look correct.  What could explain this difference?  

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-06-19 04:36 PM
In response to johnnyringo
Jump to solution

Ok, so the traffic is getting to the gateway, clearly, but it's most likely getting dropped.
What does fw ctl zdebug drop say?

View solution in original post

johnnyringo
Advisor
‎2020-06-19 06:02 PM
In response to PhoneBoy
Jump to solution

Now that's useful...

@;2147206;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 192.168.1.19:33860 -> 10.22.33.44:80 dropped by fw_first_packet_xlation Reason: Dynamic object is already being resolved;

Due to how routing works inside GCP and some dependencies beyond our control, this flow is NAT'd to the gateway's first internal network (3rd NIC) using a dynamic object, which had not been created on this particular gateway.  

I created the dynamic object and traffic is flowing now.  In SmartConsole, I see "Decrypted in Community" which is expected with VPN traffic.

 

View solution in original post

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2020-06-18 08:24 PM
Jump to solution

Did you verify the traffic actually came over a VPN (like with a tcpdump or similar)?

Accept in this context implies "not encrypted."

0 Kudos
johnnyringo
Advisor
‎2020-06-18 08:39 PM
In response to PhoneBoy
Jump to solution

On the other side (Cisco ISR), I can see the packets being sent over the tunnel interface and the "pkts encaps" in the IPSec SA incrementing.  

On the CheckPoint, if I do a tcpdump on eth0 (external/internet interface) I see activity.  But on eth2 (Internal interface) I see nothing.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-06-19 02:04 PM
In response to johnnyringo
Jump to solution

You need to more precisely describe "activity" here.
0 Kudos
johnnyringo
Advisor
‎2020-06-19 02:51 PM
In response to PhoneBoy
Jump to solution

"activity" meaning udp/4500 traffic on the CheckPoint's external interface.  A simple ping going over the tunnel shows up like this:


[Expert@gcp-checkpoint-member-a:0]# tcpdump -i eth0 -n port not 80 and port not 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:44:49.376705 IP 203.0.113.251.ipsec-nat-t > 172.16.2.26.ipsec-nat-t: UDP-encap: ESP(spi=0xcd7c75b7,seq=0x12b), length 132
21:44:50.410255 IP 203.0.113.251.ipsec-nat-t > 172.16.2.26.ipsec-nat-t: UDP-encap: ESP(spi=0xcd7c75b7,seq=0x12c), length 132
21:44:51.449244 IP 203.0.113.251.ipsec-nat-t > 172.16.2.26.ipsec-nat-t: UDP-encap: ESP(spi=0xcd7c75b7,seq=0x12d), length 132

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-06-19 04:36 PM
In response to johnnyringo
Jump to solution

Ok, so the traffic is getting to the gateway, clearly, but it's most likely getting dropped.
What does fw ctl zdebug drop say?
johnnyringo
Advisor
‎2020-06-19 06:02 PM
In response to PhoneBoy
Jump to solution

Now that's useful...

@;2147206;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 192.168.1.19:33860 -> 10.22.33.44:80 dropped by fw_first_packet_xlation Reason: Dynamic object is already being resolved;

Due to how routing works inside GCP and some dependencies beyond our control, this flow is NAT'd to the gateway's first internal network (3rd NIC) using a dynamic object, which had not been created on this particular gateway.  

I created the dynamic object and traffic is flowing now.  In SmartConsole, I see "Decrypted in Community" which is expected with VPN traffic.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-06-19 09:02 PM
In response to johnnyringo
Jump to solution

Nice, glad you found the issue.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events