CSICO - Check point VPN

DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
Hi, was hoping for some help to point me in the right direction.

BasiclyI have main site and branch site. and I have set up the VPN tunnel so that all traffic from Branch to main is encrypted and all traffic from main to branch gets encrypted. That all works fine but.

I want all traffic originating in the branch bound for the internet site to come back though the VPN and then get natted out of the internet link on the main site.

But I dont seem to be able to get it.

the cisco is encrypting all traffic from its internal networks, but when it hits the checkpoint i see

encryption failure: According to the policy the packet should not have been decrypted

The check points has the rules

any to branch VPN set to the community
branch to any VPN set to the community

If this was two routers I would set up a GRE tunnel with IPSEC encapsulation but how do i do this checkpoint to cisco?
  • If you can't explain it simply, you don't understand it well enough. Albert Einstein
  • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.

Comments

  • sojournsojourn Member Posts: 61 ■■□□□□□□□□
    Check Point to Cisco VPNs are historically a bit of a pain.

    I can't help specifically but you could try asking or searching in the VPN forum on CPUG.

    https://www.cpug.org/forums/forumdisplay.php/5-IPsec-VPN-Blade-%28Virtual-Private-Networks%29
  • netstatnetstat Member Posts: 65 ■■□□□□□□□□
    From the Check Point perspective, i think that error is related to a topology misconfiguration. Check the below settings.

  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    netstat wrote: »
    From the Check Point perspective, i think that error is related to a topology misconfiguration. Check the below settings.

    Ahh yes Star not Mesh :) working fine now :)
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
  • JasminLandryJasminLandry Member Posts: 601 ■■■□□□□□□□
    sojourn wrote: »
    Check Point to Cisco VPNs are historically a bit of a pain.

    My colleague spent approximately 10-15 hours with Check Point's support to get thing sorted out. Apparently there were a couple of options that were activated by default on the Check Point that was deactivated by default on the Cisco.
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    What I found is the "auto" settings on the check point did not actually help. In the end it was better to strip them all off and set it all manually, espicaly the NAT. So that NAT is of for internal networks and on when going to the internet.

    IS all working fine now but I have to say Cisco router site to site may be CLI to configure but so much more logical.
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Sign In or Register to comment.