AnsweredAssumed Answered

R80.10: IPsec VPN - allow unencrypted pings between gateways

Question asked by Lode De Feyter on Jan 8, 2019
Latest reply on Jan 11, 2019 by Lode De Feyter

Hi all, 

This is my very first question on CheckMates. Exciting! ;-)

I’m struggling with an IPsec VPN issue.

 

I’m setting up a very basic VPN between our Check Point gateway (R80.10) in Brussels and one peer gateway in Amsterdam, non-Check Point, managed by a business partner of ours.

I’m configuring that VPN as a “star” VPN community with one “center” gateway (our own) and one “satelite” gateway (the one in Amsterdam).
VPN comes up and is working. So far, so good.

Now, this particular partner in Amsterdam has the requirement to be able to ping from their gateway to ours. That is: unencrypted, straight over internet.

Those pings are blocked by our firewall with the message “Encryption Failure - Clear text packet should be encrypted

That seems logical, because in the VPN community I created, I read following remark: “All the connections between the Gateways below and the Satellite Gateways will be encrypted.

 

Within that same VPN community I have the option to “Exclude Services” from the community, resulting in these services not being encrypted.
When I add “echo-request” and “echo-reply” services in there, the peer gateway indeed is able to ping our gateway.

However, at the same time, pings between endpoint devices, that should be routed and encrypted throught the VPN are no longer working at that moment, and blocked by our gateway with the message: “Encryption Failure - According to the policy the packet should not have been decrypted

  

How can I solve this deadlock and allow un-encrypted pings between gateways and, at the same time, allow encrypted pings between endpoints passing through the VPN?

 

I’m not quickly finding a solution on Google or CP’s KB.

 

Thanks for your advice!

Kind regards,

Lode

Outcomes