AnsweredAssumed Answered

IPSec VPN between Checkpoint and Cisco ASA

Question asked by taib charkaoui on Jan 1, 2019
Latest reply on Jan 3, 2019 by taib charkaoui

Hi All,

im having really tought time establishing inbound connectivity from a third party Cisco ASA to my perimeter Checkpoint firewall. I am using R.76 and not R.80

I have an existing VPN created that permits outbound access from my internal servers to a 3rd party server.

The source of the Outbound traffic (FROM internal server to 3rd Party server) is hidden behind a single static NAT IP address. This access works.

 

My issue is establishing traffic Inbound (FROM 3rd party server to local internal server).

Traffic from the 3rd party is destined for a hide address that i translate to the real IP address of my internal server.

I can see the VPN attempt to establish and then get an error : "encryption Fail Reason: Received a cleartext packet within an encrypted connection".

 

I've done the usual troubleshooting and this error usually means that the encryption domains on either side do not match, however from what i can see they do.

Under the topology section of the gateway i have the VPN domains manually defined and include all the subnets that will be permitted to go through the VPN from my side, including the NAT addresses.

And under the VPN settings for the destination i have the subnet of the destination 3rd party servers.

 

Is there something i am missing, below are the things i've tried:-

  • checked encryption domains on both sides, they appear to match
  • checked VPN tunnel sharing to "one vpn tunnel per subnet pair"
  • checked VPN type to meshed

 

After each time i went on to the CLI of the gateway and cleared both IPSec and IKEs for the IPSec gateway and no change: outbound from us to them works, but they cannot initiate an inbound connection to a server i have control of.

 

any help is greatly appreciated, and i can provide additional detail if required.

 

thanks.

Attachments

Outcomes