We help IT Professionals succeed at work.

Routing all traffic through another firewall

alexL3
alexL3 asked
on
5,588 Views
Last Modified: 2013-11-16
Hi everyone:

This one has checkpoint support scratching their heads.

Site A (Main)        - VPN-1 UTM running R62
Site B (Remote)    - VPN-1 Edge XU running 7.5.55  Configured to pass all traffic through

Site to site VPN established passing traffic between subnets on both sites with no problem
Once we try to reach internet from Site B we log an error:

Encyption Failure.  According to the policy the packed should not have been decrypted

any help would be greatly appriciated!

Thank you!
Alex

Comment
Watch Question

Commented:
Hi,

What was the source / destination and origin of the log error?
Are you trying to route internet traffic through the VPN first?

 How is the VPN topology setup?  Is it mesh or star?  If it's star, how is VPN Routing setup? (in advanced settings of VPN community)

Author

Commented:
Souce:   192.168.x.x  device behind remote site B

Destination:  any external address on the internet source user is trying to reach

Commented:
* Have you also check that your encryption domains are not overlapping?
* Make sure that your gateways are not included in your encryption domains
* Sounds daft but have seen this before - exclude IKE and ESP using community properties -> advanced -> excluded services

Author

Commented:
Yes we need to route ALL traffic via site A including the internet

VPN topology=Mesh

The only thing i see under advanced VPN properties "Dissable NAT inside VPN community" itschecked and tried both ways

 
to router traffic to site a, then to the internet, you'll need to change the VPN topology to a star topology.  Setup site A as center gateway, and site B as remote gateway.

Once the topology is converted to a star topology, you'll get the option to setup VPN Routing.  You don't see the option now because you're in mesh topology.

Setup the routing to 'to center, or through center to other satelittes, or through center to internet and other vpn targets'

(You'll have to setup a new VPN Community and change the VPN to use that community)

Author

Commented:
created new community (Star)
passing traffic between sites but when trying to reach internet i end up with our clean up rule eventhough we have rule in place:

souce - LAN network behind remote site b
desination - any
VPN - new star community
service - any
action - accept
install on - VPN-UTM 1 (site a)
Would you post the line of the log that drops the connection?

Author

Commented:
sorry it took so long.. last change killed all VPN.. but we're back

the log entry looks like this

<!-- /* Font Definitions */ @font-face      {font-family:"Cambria Math";      panose-1:2 4 5 3 5 4 6 3 2 4;      mso-font-charset:0;      mso-generic-font-family:roman;      mso-font-pitch:variable;      mso-font-signature:-1610611985 1107304683 0 0 159 0;}@font-face      {font-family:Calibri;      panose-1:2 15 5 2 2 2 4 3 2 4;      mso-font-charset:0;      mso-generic-font-family:swiss;      mso-font-pitch:variable;      mso-font-signature:-1610611985 1073750139 0 0 159 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal      {mso-style-unhide:no;      mso-style-qformat:yes;      mso-style-parent:"";      margin:0in;      margin-bottom:.0001pt;      mso-pagination:widow-orphan;      font-size:12.0pt;      font-family:"Times New Roman","serif";      mso-fareast-font-family:Calibri;      mso-fareast-theme-font:minor-latin;}.MsoChpDefault      {mso-style-type:export-only;      mso-default-props:yes;      font-size:10.0pt;      mso-ansi-font-size:10.0pt;      mso-bidi-font-size:10.0pt;}@page Section1      {size:8.5in 11.0in;      margin:1.0in 1.0in 1.0in 1.0in;      mso-header-margin:.5in;      mso-footer-margin:.5in;      mso-paper-source:0;}div.Section1      {page:Section1;}-->Number:                      157290
Date:                           10Jul2008
Time:                           14:12:05
Product:                       VPN-1 Power/UTM
Interface:                     eth2
Origin:                         FW-A
Type:                           Log
Action:                         Drop
Protocol:                      tcp
Service:                       http (80)
Source:                        192.168.xx.xx      <- device behind Site B )remote)
Destination:                yo-in-f103.google.com (64.233.169.103)
SourcePort:                1850
Encryption Scheme:     IKE
VPN Peer Gateway:      TESTEDGE3 (xx.xx.xx.xx)      <-WAN IP OF site B
Encryption Methods:    ESP: AES-128 + MD5
Subproduct:                 VPN
VPNFeature:               VPN
SmartDefense Profile: Default_Protection
Information:                 encryption failure: According to the policy the packet should not havebeen decrypted

Author

Commented:
this time without ms work header.. opps

Date:                           10Jul2008
Time:                           14:12:05
Product:                       VPN-1 Power/UTM
Interface:                     eth2
Origin:                         FW-A
Type:                           Log
Action:                         Drop
Protocol:                      tcp
Service:                       http (80)
Source:                        192.168.xx.xx       <- device behind Site B )remote)
Destination:                yo-in-f103.google.com (64.233.169.103)
SourcePort:                1850
Encryption Scheme:     IKE
VPN Peer Gateway:      TESTEDGE3 (xx.xx.xx.xx)      <-WAN IP OF site B
Encryption Methods:    ESP: AES-128 + MD5
Subproduct:                 VPN
VPNFeature:               VPN
SmartDefense Profile: Default_Protection
Information:                 encryption failure: According to the policy the packet should not havebeen

is this the exact same error as you were getting before we changed to star community?  

If i'm following you correctly, it's similar, but not quite the same.

Author

Commented:
it's similar but not the same

one difference that i see is before when the Edge box was in mesh community it was getting dropped because of the clean up rule

now it drops and says encryption failure: According to the policy the packet should not have been decrypted no rule is involved

Alex
how many actual rules do you have that involve this VPN?

lets try breaking the rules up a bit.  Insert the following into your policy where appropriate.  disable other vpn rules (rule 1 should be your old rule, so keep that), and stick your other incoming/outbound rules in wherever they go.  

rule 1
src= netA and net B
dst= netA and netB
service = any
vpn = star community
action = accept
track = log
install on = policy targets

rule 2
src= net b
dst = net a (negate)
service = dns, smtp, http, icmp
vpn = 'any gtw to gtw'
action = accept
track = log
install on = policy targets

rule 3
src= net b
dst = any
service = any
vpn = 'any gtw to gtw'
action = accept
track = log
install on = policy targets

rule 4
src = net b
dst = any
service = any
vpn = any traffic
action = accept
track = log
install on = policy targets

rule 5 (cleanup
any any drop log

Author

Commented:
not much difference

When i try to find   net a to net b i get a reply, logs rule 1
trying to reach anything outside of net a network i get

Number:                            318629
Date:                                 11Jul2008
Time:                                 15:10:24
Product:                             VPN-1 Power/UTM
Interface:                           eth2
Origin:                               FW-A
Type:                                 Log
Action:                               Drop
Protocol:                            udp
Service:                             domain-udp (53)
Source:                              192.168.xx.xx   device behind net b
Destination:                      192.175.48.1
Source Port:                      2679
Encryption Scheme:          IKE
VPN Peer Gateway:           TESTEDGE3 (x.x.x.x)      <-net b fw
Encryption Methods:         ESP: AES-128 + MD5
Subproduct:                       VPN
VPN Feature:                     VPN
SmartDefense Profile:      Default_Protection
Information:                       encryption failure: According to the policy the packet should not have been decrypted
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
i've tried every combination for address translation with same results ;(

Author

Commented:
eth2 is the internet gateway at site a

Author

Commented:
finally got it working

it was a combination of things, rules/NAT/VPN community
which one did I'm not sure but the final thing we had to change was

Star community properties/Advanced settings/VPN routing/ through center to other satellites or to internet or other VPN targets

Thank very much for all your help
Alex

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.