VPN tunnel problem, could be a bug?

bcolemont · #1 (**permalink**) 2007-11-28

Hi all,

I don't know where to post this so I just post it here :)

We have a checkpoint 6.5 cluster with VPN tunnels,
if the device on the other side is not up, the checkpoint doesn't create a tunnel (what is normal)
If the other device comes up and there is traffic for that location, the checkpoint routes the traffic to the internet and, doesn't look if the tunnel is up or not.
So he only checks it once,...
Is there a command to delete those routing tables orso and is there a workaround?

Greetz,
Bert Colemont

Danielpb · #2 (**permalink**) 2007-11-28

I take it you mean R65 not 6.5???

Have you checked the tracker (logs) to confirm any errors?

bcolemont · #3 (**permalink**) 2007-11-28

Yes I mean 6.5, and nothing comes in the log,...

let me try to explain the problem again :

Client 1
192.168.1.1

FW1 cluster<--ipsec tunnel -----> OtherFW <--> Server1
10.0.0.1
Client 2
192.168.1.2

if client 1 pings before the tunnel is up, he gets a route to the dark holes of the internet

if client 2 pings when the tunnel is up, he gets a reply

if client 1 pings again, now when the tunnel is up he still lands in the black hole on the internet.

So client 1 is never ever getting routed correctly and client 2 does, in the rules are definded that all 192.168.1.0 network may connect to 10.0.0.1
We also tried to delete the rule and make it again, also tried to set client 1 specific on a seperated rule to allow it to 10.0.0.1 but nothing helps.
Only thing that helps is to bring down all clients in the 192.168.1.x network, reboot the FW cluster and start up the tunnel and then bring up the clients

bcolemont · #4 (**permalink**) 2007-11-29

nobody who can help me?

lodown · #5 (**permalink**) 2007-11-29

In the InterOP firewall object, make sure their correct network is set as the encryption domain.

vijayant · #6 (**permalink**) 2007-12-26

Hi

why your traffic is going to internet when the tunnel is down, I supose it should get dropped at firewall itself. Pl check the rule allowing this traffic to internet.

chillyjim · #7 (**permalink**) 2007-12-26

This is a configuration problem somewhere. Check the routing on client 1, check the encryption domains of both peers.

From client 1, do a traceroute and see where it thinks the packets are going.
From the gateway you can do an:

fw monitor -e 'accpet (src=192.168.1.1 and dst=10.0.0.1) or \
(src=10.0.0.1 and dst=192.168.1.1) ;'

and see if the packets are going through the firewall.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode