CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: Urgent problem with checkpoint to fortigate VPN

  1. #1
    Join Date
    2018-02-05
    Posts
    2
    Rep Power
    0

    Default Urgent problem with checkpoint to fortigate VPN

    I am having a problem at a client site where I am trying to connect a site to site VPN from their checkpoint to a Fortigate at a partner network. I followed SK53980 and the person on the other end applied matching settings for VPN domains and key settings etc (it's a single subnet on either end at this stage LAN to LAN over tunnel). Once configured I started getting a message in the FW log saying "Clear text packet should be encrypted" dropping a UDP500 IKE packet from the remote 3rd party gateway. Since then I have read lots of stuff and tried many changes but still getting the same error. I read that the checkpoint could be implying the gateways into the encryption domain and applied the hack to the crypt.def file on the SMS and applied policy to the gateway which seems to have applied (after an initial syntax error) but hasn't made any difference, I still get he same error!

    So I desperately need to get these two firewalls talking, at this stage the checkpoint just receives a packet every few seconds on UDP500 from the Fortigate and then drops the packet saying it should be encrypted. Please help!

    I worked on this for two days and the client wants some progress tomorrow and its night here so I rushed this post out, will post some screen caps and proper errors logs when at work tomorrow morning but I am hoping someone has seen this or has some idea of how I can get past at least this first point where the very first packet from the Fortigate is just dropped by the checkpoint. Thanks in advance for any help.

  2. #2
    Join Date
    2018-02-05
    Posts
    2
    Rep Power
    0

    Default Re: Urgent problem with checkpoint to fortigate VPN

    I have an update on this; I read that the problem behind that "clear text packet should be encrypted" error is usually the encryption domains not matching, and possibly the checkpoint implicitly adding the gateway/s to the encryption domain making them sometimes not match. Based on that I edited crypt.def on the SMS to exclude the remote gateway from encryption domain but it didn't make a difference to the error. Subsequently I found that whilst sniffing on the checkpoint gateway (fw monitor) I could not see initiated traffic when pinging inside/across the tunnel in the encryption domain, then I realised I was missing a route to the remote subnet on the local LAN router (hidden in a sea of other static routes). Once I added the route I could see the IKE being attempted from checkpoint and being dropped due to stealth rule (traffic from my firewall). It seems the checkpoint was not allow the firewalls to talk to each other as part of the VPN community and I needed another rule to allow traffic between the two firewalls. Once I did this the tunnel came up.

    Lessons learned:
    Encryption domains must match perfectly between checkpoint and 3rd party router VPNs
    Sometimes checkpoint can add to the encryption domains and summarise encryption domain subnets making them not match
    When the firewalls aren't in the encryption domain you need a firewall rule allowing the two FW's to talk to each other for IKE etc or the stealth rule will catch the IKE
    I also had to change the checkpoint anti-spoofing as the remote subnet was also a 10.x and after tunnel was up this was also getting caught in anti-spoofing but was easy to find in the logs

  3. #3
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,206
    Rep Power
    13

    Default Re: Urgent problem with checkpoint to fortigate VPN

    Quote Originally Posted by derek440 View Post
    I have an update on this; I read that the problem behind that "clear text packet should be encrypted" error is usually the encryption domains not matching, and possibly the checkpoint implicitly adding the gateway/s to the encryption domain making them sometimes not match. Based on that I edited crypt.def on the SMS to exclude the remote gateway from encryption domain but it didn't make a difference to the error. Subsequently I found that whilst sniffing on the checkpoint gateway (fw monitor) I could not see initiated traffic when pinging inside/across the tunnel in the encryption domain, then I realised I was missing a route to the remote subnet on the local LAN router (hidden in a sea of other static routes). Once I added the route I could see the IKE being attempted from checkpoint and being dropped due to stealth rule (traffic from my firewall). It seems the checkpoint was not allow the firewalls to talk to each other as part of the VPN community and I needed another rule to allow traffic between the two firewalls. Once I did this the tunnel came up.

    Lessons learned:
    Encryption domains must match perfectly between checkpoint and 3rd party router VPNs
    Sometimes checkpoint can add to the encryption domains and summarise encryption domain subnets making them not match
    When the firewalls aren't in the encryption domain you need a firewall rule allowing the two FW's to talk to each other for IKE etc or the stealth rule will catch the IKE
    I also had to change the checkpoint anti-spoofing as the remote subnet was also a 10.x and after tunnel was up this was also getting caught in anti-spoofing but was easy to find in the logs
    Good summary, in general Juniper/Fortinet/Sonicwall are very picky about the Proxy-IDs (subnets) they will accept in a Phase 2 proposal, and it must be a exact match. Check Point and Cisco do not require an exact match as long as it is a subset of the VPN domain/ACL. Palo Alto uses route-based VPNs by default and is expecting 0.0.0.0/0's in Phase 2, but can be configured to mimic subnet-based behavior.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  4. #4
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    240
    Rep Power
    12

    Default Re: Urgent problem with checkpoint to fortigate VPN

    The messages "According to the policy, the packet should not have been decrypted" and "Received cleartext packet within an encrypted connection" are ultimately antispoofing, but for VPNs.

    When using Check Point's simplified-mode VPNs, the encryption domains are used to make encryption decisions. The logic starts by checking if the destination is in a peer's encryption domain, then if the source is in a local encryption domain. If both of those are true, the packet is flagged for encryption to that peer.

    Similar checks are used when receiving VPN traffic. When a packet is decrypted, the firewall checks to see if the source is in the peer's encryption domain and if the destination is in its own encryption domain. If either of those is false, then that packet gets dropped with "According to the policy, the packet should not have been decrypted".

    Meanwhile, if a firewall receives a packet and the source is in a peer's encryption domain and the destination is in its own domain, but the packet didn't come out of a VPN, you get "Received cleartext packet within an encrypted connection".



    For people who run across problems like this in the future, I highly recommend Check Point's IKE debug and IKEview. It is described very briefly in sk30994. It helps spot negotiation problems. It will let you see exactly what each side is proposing for the VPN negotiation.
    Zimmie

Similar Threads

  1. DPD configuration between checkpoint and fortigate
    By ajit_matharu in forum R77.30
    Replies: 1
    Last Post: 2017-12-19, 04:32
  2. checkpoint to Fortigate VPN fail
    By 013rgk in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2012-04-24, 14:22
  3. Checkpoint to Fortigate IPSec VPN
    By roscop2011 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 7
    Last Post: 2011-04-05, 21:45
  4. Fortigate to Checkpoint policy converter
    By fauzzi in forum Interoperability
    Replies: 0
    Last Post: 2010-11-16, 04:07
  5. Problem with vpn against Fortigate with one specified subnet
    By tigerxxx in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2008-08-06, 10:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •