CSICO - Check point VPN

Hi, was hoping for some help to point me in the right direction.

BasiclyI have main site and branch site. and I have set up the VPN tunnel so that all traffic from Branch to main is encrypted and all traffic from main to branch gets encrypted. That all works fine but.

I want all traffic originating in the branch bound for the internet site to come back though the VPN and then get natted out of the internet link on the main site.

But I dont seem to be able to get it.

the cisco is encrypting all traffic from its internal networks, but when it hits the checkpoint i see

encryption failure: According to the policy the packet should not have been decrypted

The check points has the rules

any to branch VPN set to the community
branch to any VPN set to the community

If this was two routers I would set up a GRE tunnel with IPSEC encapsulation but how do i do this checkpoint to cisco?

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

sojourn

Check Point to Cisco VPNs are historically a bit of a pain.

I can't help specifically but you could try asking or searching in the VPN forum on CPUG.

https://www.cpug.org/forums/forumdisplay.php/5-IPsec-VPN-Blade-%28Virtual-Private-Networks%29

netstat

From the Check Point perspective, i think that error is related to a topology misconfiguration. Check the below settings.

vpn1.jpg

vpn2.jpg

DevilWAH

netstat wrote: »

From the Check Point perspective, i think that error is related to a topology misconfiguration. Check the below settings.

Ahh yes Star not Mesh

working fine now

JasminLandry

sojourn wrote: »

Check Point to Cisco VPNs are historically a bit of a pain.

My colleague spent approximately 10-15 hours with Check Point's support to get thing sorted out. Apparently there were a couple of options that were activated by default on the Check Point that was deactivated by default on the Cisco.

DevilWAH

What I found is the "auto" settings on the check point did not actually help. In the end it was better to strip them all off and set it all manually, espicaly the NAT. So that NAT is of for internal networks and on when going to the internet.

IS all working fine now but I have to say Cisco router site to site may be CLI to configure but so much more logical.