VPN after Upgrade to R62

[ymhhou]

Hi Everyone, I just upgraded from R54 to R62 Everything went perfect vpns came backup up everything was great except one thing.

Secureclient when you login to the firewall works fine but it is not going out to our other vpns. Eg. You call into 10.0.1.x and you can ping everything fine, but when you want to goto 10.0.2.x which is a vpn connection with an edge device it doesn't work. It used to before the upgrade but now wont. On the edge device I get an error packet was encrypted and should not be. I have triple checked the setup according to the checkpoint docs.

Any ideas?

Thanks

[dantro]

That's quite simple. The error message says it all.
The VPN-1 Edge appliance correctly receives an encrypted package, but it doesn't decrypt it. Instead it drops the package telling you that it expected unencrypted traffic. So there is something wrong with your encryption domain. Check which encryption domain is configured for your VPN-1 Edge and make sure that the address from the SecureClient User is included.

Best regards,
Danny Trommer
CCSA/CCSE/CCSE+

[mcnallym]

I am assuming that when you say Secure Client you are not talking about Secure Remote as you will need to have Office Mode enabled for this to work.

The easiest way to solve this is as follows.

Use the option to

Set Encryption Domain for Remote Access Community

Specify this as the normal encryption domain behind the gateway you Secure Client too as well as the network behind the edge device.

Set the normal encryption domain for the gateway to be the existing encryption domain and the Office Mode range that you use for Secure Client.

Ensure that the site to site VPN between the Edge and the gateway includes the Office Mode range in the security rulebase

Push the policy to the gateway and the Edge.

I set this up only yesterday with two Check Point gateways and worked straight away. Alot easier then faffing about with vpnroute.conf files