AnsweredAssumed Answered

Remote VPN access to network behind 3rd party Gateway

Question asked by Ricardo Gros on Dec 14, 2018
Latest reply on Dec 17, 2018 by Dameon Welch-Abernathy

Hi, 

 

I have come upon this issue where a customer is trying to access a Network scope behind a tunnel that is terminating on a 3rd party device. 

 

So the topology is the following

 

Client VPN client with remote office IP 10.1.1.2 want´s to reach Server Behind Tunnel Terminating on 3rd party firewall with IP 192.168.2.2   

 

Checkpoint has route for 192.168.2.0/24 -> 3rd party device 

3rd Party device has route to 10.1.1.0/24 -> checkpoint

 

Network 192.168.2.0/24 is part of Enc Domain of Checkpoint for Remote VPN 

 

Problem is when the client tries to reach network packet is forwarded to server, return packet however is blocked by checkpoint with following error: 

 

Dropped by vpn_verify, reason : Clear packet on encrypted connection; 

 

I don´t understand the drop because the packet should be Clear text and only be encrypted by the checkpoint and decrypted by the client, I don´t see the difference between this and any other network access, I wondering if It has to do with the Topology since this network is not directly connected, however there is a route so it should be "known" in terms of topology.

 

After this I tried adding the Remote Office Pool to the Enc. Domain of the Gateway, however this simply changed the error output to:


No Decryption Message 

 

I think the second error is because now the Gateway thinks it needs to Decrypt and it´s clear text or something.. 



Outcomes