Link to home
Start Free TrialLog in
Avatar of llarava
llaravaFlag for Afghanistan

asked on

Checkpoint Site to Site VPN - outbound traffic from my FW to the destination FW is dropped (spoofing)

Hi,

We've build a site to site vpn with Checkpoint R75, the tunnel goes back to a Palo Alto FW (we do not manage that one). That being said, the tunnel seems to come up at least from the Palo Alto side (they can send traffic to us) but can't ping the host in our end. We can not communicate through the tunnel we see that our outbound traffic is being blocked by our firewall (PING to a host in the other part of the tunnel) is dropped with the reason of "spoofing".
Avatar of Nathan Hawkins
Nathan Hawkins
Flag of United States of America image

The return traffic is coming back via an asyncronous route... What does that mean? You have a VPN tunnel setup and someone's encryption domain (probably the Palo Alto side)  isnt set correctly thus the traffic is returning via an unexpected interface. In smartview tracker you should be able to see phase 1 and 2 come up as well as the traffic being encrypted and being sent. If you dont see all of that then you have differing errors at differing levels. VPN's are specific for good reasons. Routing and encryption domains need to be precise. Please go over both and tailor them as exact as possible, otherwise you are not going to be able to fix this issue.
Yeah I would first verify phase 1 and phase 2 show as negotiated properly on the Checkpoint side. If they are NOT then you should readily know where to look.

Also.. Palo Alto's only do route based VPNs. If your CP is configured to be a policy based VPN then the proxy IDs on the PAN side need to match what you have defined in your VPN policy (called interesting traffic in the Cisco world).
Avatar of llarava

ASKER

In smartview tracker you should be able to see phase 1 and 2 come up as well as the traffic being encrypted and being sent.

Can you walk me through that process? what I am looking exactly on phase 1 and 2?
ASKER CERTIFIED SOLUTION
Avatar of Nathan Hawkins
Nathan Hawkins
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
are you allowing fragmented packets? you might need the Palo Alto side to ensure that to.