Checkpoint Site to Site VPN - outbound traffic from my FW to the destination FW is dropped (spoofing)


We've build a site to site vpn with Checkpoint R75, the tunnel goes back to a Palo Alto FW (we do not manage that one). That being said, the tunnel seems to come up at least from the Palo Alto side (they can send traffic to us) but can't ping the host in our end. We can not communicate through the tunnel we see that our outbound traffic is being blocked by our firewall (PING to a host in the other part of the tunnel) is dropped with the reason of "spoofing".
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nathan HawkinsTechnical Lead - Network SecurityCommented:
The return traffic is coming back via an asyncronous route... What does that mean? You have a VPN tunnel setup and someone's encryption domain (probably the Palo Alto side)  isnt set correctly thus the traffic is returning via an unexpected interface. In smartview tracker you should be able to see phase 1 and 2 come up as well as the traffic being encrypted and being sent. If you dont see all of that then you have differing errors at differing levels. VPN's are specific for good reasons. Routing and encryption domains need to be precise. Please go over both and tailor them as exact as possible, otherwise you are not going to be able to fix this issue.
Schuyler DorseyCommented:
Yeah I would first verify phase 1 and phase 2 show as negotiated properly on the Checkpoint side. If they are NOT then you should readily know where to look.

Also.. Palo Alto's only do route based VPNs. If your CP is configured to be a policy based VPN then the proxy IDs on the PAN side need to match what you have defined in your VPN policy (called interesting traffic in the Cisco world).
llaravaAuthor Commented:
In smartview tracker you should be able to see phase 1 and 2 come up as well as the traffic being encrypted and being sent.

Can you walk me through that process? what I am looking exactly on phase 1 and 2?
Nathan HawkinsTechnical Lead - Network SecurityCommented:
Hmmm, the best way I'd do it is sort on the Destination Gateway IP address, and then create interesting traffic that will initiate the VPN. Make sure to include the destination gateway in the encryption domain for the Palo Alto. Theres all kinds of options to check mark in Tracker. Rather than anything specific just check anything encryption related. That also so display any and all encryption details including the phases as they come up. If you are doing all of that and still not seeing phase 1 and phase 2 come up, then you need to start from the beginning and do it all over again.

@Schuyler Dorsey - Pretty sure the term  interesting traffic was coined way before Cisco engineers started using it. Route base VPN's mean just that, theres a route in which the VPN is initiated, but thats only on the Palo Alto side. VPN's are standards built and torn down in standard ways. As long as Encryption methods match, pre-shared secrets/certificates match and encryption domains match the VPN method isnt relevant...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
are you allowing fragmented packets? you might need the Palo Alto side to ensure that to.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.