CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Results 1 to 5 of 5

Thread: Traffic not going through the VPN tunnel

  1. #1
    Join Date
    2017-11-22
    Posts
    3
    Rep Power
    0

    Default Traffic not going through the VPN tunnel

    Good evening,

    I have an issue with one of my VPN tunnels.

    My costumerīs sites are connected with VPN tunnel in a mesh configuration. All the tunnels are working properly, but the communication between one of the networks (concretely one host, letīs call it host A) behind one of the peers and other hosts in the other side behind the other peer is not going through the VPN. Both VPN peers are Checkpoint GAIA R77.10

    Iīve already checked encryption domains, FW rules and antispoofing configuration but donīt find the issue.

    In addition, and to make it stranger, communications going through the same tunnel works perfect for other networks (networks in the same encryption domain that the one that isnīt working), and VPN encrypted communication between host A and other devices encrypted through the same mess VPN are also working.

    Can someone please help me? I hope Iīve explain my problem in a correct way for you to understand.

    Thanks in advance

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,480
    Rep Power
    8

    Default Re: Traffic not going through the VPN tunnel

    Quote Originally Posted by Mangurrin View Post
    Good evening,

    I have an issue with one of my VPN tunnels.

    My costumerīs sites are connected with VPN tunnel in a mesh configuration. All the tunnels are working properly, but the communication between one of the networks (concretely one host, letīs call it host A) behind one of the peers and other hosts in the other side behind the other peer is not going through the VPN. Both VPN peers are Checkpoint GAIA R77.10

    Iīve already checked encryption domains, FW rules and antispoofing configuration but donīt find the issue.

    In addition, and to make it stranger, communications going through the same tunnel works perfect for other networks (networks in the same encryption domain that the one that isnīt working), and VPN encrypted communication between host A and other devices encrypted through the same mess VPN are also working.

    Can someone please help me? I hope Iīve explain my problem in a correct way for you to understand.

    Thanks in advance
    Just a guess but does the non working host have a NAT rule? If so sounds like you need a no NAT to work around that.

    If thats not the case then we need more info. Are you seeing the packet hit the vpn firewall and its not getting encrypted or is it just not showing up on the firewall in the first place?

    Have you ruled out a routing or subnet mask issue on the none working host?

  3. #3
    Join Date
    2017-11-22
    Posts
    3
    Rep Power
    0

    Default Re: Traffic not going through the VPN tunnel

    Good morning,

    Thereīs no NAT applied to the rule or the concrete object

    Iīll try to explain it better with an example (I think itīs hard to understand the issue without knowing the concrete infrastructure).

    My mess VPN includes 7 FW clusters, and there are active VPN tunnels between all of them. Letīs call the issued FWs FW-A and FW-B

    Behind FW-A we have a monitoring computer that needs to monitor devices in all the other sites. Its IP is 172.16.0.1

    Devices on sites with other FWs (letīs call one of them FW-C) in the mess works perfect, communication goes through the VPN tunnel and get to the device, but with this concrete site behind FW-B is not working

    So:

    Source: 172.16.0.1 Destination: Host behind FW-C --> The communication goes through the tunnel and get to the device
    Source: 172.16.0.1 Destination: Host behind FW-B --> The communication is not getting through the tunnel, so itīs routed to the wrong side.

    Iīve read that when both networks are in both encryption domains, you donīt need to route in the FW routing table for the communication to go through the tunnel. In the sites that are working, we donīt route anything to the external interface that builts the tunnel, but it works.

    Otherwise, I see the traffic hiting the VPN FW, accepted for the rule, but as itīs not going through the tunnel, it gets lost.

    Thanks in advance

  4. #4
    Join Date
    2017-11-22
    Posts
    3
    Rep Power
    0

    Default Re: Traffic not going through the VPN tunnel

    Good morning,

    Thereīs no NAT applied to the rule or the concrete object

    Iīll try to explain it better with an example (I think itīs hard to understand the issue without knowing the concrete infrastructure).

    My mess VPN includes 7 FW clusters, and there are active VPN tunnels between all of them. Letīs call the issued FWs FW-A and FW-B

    Behind FW-A we have a monitoring computer that needs to monitor devices in all the other sites. Its IP is 172.16.0.1

    Devices on sites with other FWs (letīs call one of them FW-C) in the mess works perfect, communication goes through the VPN tunnel and get to the device, but with this concrete site behind FW-B is not working

    So:

    Source: 172.16.0.1 Destination: Host behind FW-C --> The communication goes through the tunnel and get to the device
    Source: 172.16.0.1 Destination: Host behind FW-B --> The communication is not getting through the tunnel, so itīs routed to the wrong side.

    Iīve read that when both networks are in both encryption domains, you donīt need to route in the FW routing table for the communication to go through the tunnel. In the sites that are working, we donīt route anything to the external interface that builts the tunnel, but it works.

    Otherwise, I see the traffic hiting the VPN FW, accepted for the rule, but as itīs not going through the tunnel, it gets lost.

    Thanks in advance

  5. #5
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    103
    Rep Power
    11

    Default Re: Traffic not going through the VPN tunnel

    Quote Originally Posted by Mangurrin View Post
    Good morning,

    Thereīs no NAT applied to the rule or the concrete object

    Iīll try to explain it better with an example (I think itīs hard to understand the issue without knowing the concrete infrastructure).

    My mess VPN includes 7 FW clusters, and there are active VPN tunnels between all of them. Letīs call the issued FWs FW-A and FW-B

    Behind FW-A we have a monitoring computer that needs to monitor devices in all the other sites. Its IP is 172.16.0.1

    Devices on sites with other FWs (letīs call one of them FW-C) in the mess works perfect, communication goes through the VPN tunnel and get to the device, but with this concrete site behind FW-B is not working

    So:

    Source: 172.16.0.1 Destination: Host behind FW-C --> The communication goes through the tunnel and get to the device
    Source: 172.16.0.1 Destination: Host behind FW-B --> The communication is not getting through the tunnel, so itīs routed to the wrong side.

    Iīve read that when both networks are in both encryption domains, you donīt need to route in the FW routing table for the communication to go through the tunnel. In the sites that are working, we donīt route anything to the external interface that builts the tunnel, but it works.

    Otherwise, I see the traffic hiting the VPN FW, accepted for the rule, but as itīs not going through the tunnel, it gets lost.

    Thanks in advance
    This is almost always caused by having the destination either accidentally included in FW-A's encryption domain or accidentally left out of FW-B's encryption domain. If the source and destination are in my encryption domain, I won't encrypt, even if the destination is also in a peer's encryption domain. If the destination isn't in a peer's encryption domain, I also won't encrypt, because I wouldn't know what keys to use or where to send it.

    The biggest concern with routing is that it needs to pick the right interface and gateway to be able to reach the remote side. The outgoing interface is determined before the packet is encrypted. The only routing problem I typically saw with VPNs was accidentally routing the network back into your environment. It doesn't sound like that is happening here, though it would be a good idea to confirm. In an fw monitor, what interface do you see for position o?
    Zimmie

Similar Threads

  1. Is it possible to route traffic from a remote VPN to another VPN tunnel ?
    By gustave69 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2012-03-26, 08:42
  2. HOW TO IDENTIFY TRAFFIC USING IPSEC TUNNEL AND NON TUNNEL TRAFFIC ON CHECKPOINT SMART
    By gbollyd in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 4
    Last Post: 2011-09-21, 09:10
  3. NAT prevents VPN traffic from using tunnel.
    By BenRad in forum NAT (Network Address Translation)
    Replies: 3
    Last Post: 2010-02-25, 10:56
  4. No traffic across tunnel
    By daveyard in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2009-01-30, 09:28
  5. Putting all traffic through vpn tunnel
    By shukalo83 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 10
    Last Post: 2008-08-11, 16:13

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •