How To Troubleshoot VPN Issues in Site To Site
How To Troubleshoot VPN Issues in Site To Site
How To Troubleshoot VPN Issues in Site To Site
29 December 2010
2010 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the latest functional
improvements, stability fixes, security enhancements and protection against new and evolving attacks.
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=11841
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).
Revision History
Date Description
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on How To Troubleshoot VPN Issues in
Site to Site ).
Contents
Supported Versions
R65, R70
Supported OS
SecurePlatform, Windows
Supported Appliances
All gateway appliances
c) Verify that tunnel settings in the VPN community (negotiation times, encryption algorithms, data
hashing algorithms) are the same on both ends:
If the issue is still not resolved, contact the Check Point Support Center.
Issue:
vpn_route.conf setting are not passed correctly to the upgraded SmartCenter/gateway.
Potential Solution:
The file needs to be modified again. You can use the same syntax used in R65. If file modification
issues are encountered, refer to sk31021 (http://supportcontent.checkpoint.com/solutions?id=sk31021)
Issue:
You would like to exclude specific address from encryption domain (like peer GW IP), and you are using
R70 or above user.def is irrelevant in this case under R70.
Potential Solution:
In SmartCenter Server add the following lines at the end of the file:
$FWDIR/lib/crypt.def:
#define NON_VPN_TRAFFIC_RULES \
(dst=x.x.x.x)
The address 'x.x.x.x' is the IP address of the remote peer which should be excluded from the VPN-1
gateway's remote encryption domain.
Check that there are proper NAT rules for hide-NATing the internal source addresses when accessing
the remote peer address in clear from the VPN-1 site (e.g. NAT rule with src=internal net, dst=x.x.x.x ->
src=hide behind fw external address, dst=origin)
Issue:
user.def previous modifications done in R65 in user.def that set max_subnet_per_range are
not saved.
Potential Solution:
The change in R70 must be applied in user.def.NGX_FLO. Policy installation must be performed
afterwards.
Issue:
VPND crashes or causes very high CPU consumption in R70 when using manually modified
ipassigmet.conf.
Potential Solution:
sk41786 (http://supportcontent.checkpoint.com/solutions?id=sk41786)
Issue:
Site to site VPN connections between VPN-1 Power/UTM Security Gateways, configured as Center
Gateways in Star VPN Community, not being encrypted.
Potential Solution:
sk33318 (http://supportcontent.checkpoint.com/solutions?id=sk33318)
Issue:
Site-to-site VPN using certificates issued by the ICA (Internal Certificate Authority) fails with error
Potential Solution:
sk32648 (http://supportcontent.checkpoint.com/solutions?id=sk32648)
Issue:
After upgrade to R70 site to site VPN fails with "authentication error" message in SmartView tracker.
Potential Solution:
Shared secret did not move in the upgrade process. Redefine the shared secret for the peer gateway.
Issue:
Traffic is dropped inside a VPN tunnel with the error: "packet should not have been decrypted".
Potential Solution:
Consider the following scenario:
GW1======VPN=======GW2
||
||
Mgmt1 mgmt2
On gateway 1, traditional policy is installed which encrypts all services from GW1 encryption domain to
GW2 encryption domain. On gateway 2 simplified policy installed to allow encrypted traffic between the
two gateways, however in the community settings there are several excluded services configured.
The excluded services that are encrypted by GW1 are in the excluded services on GW2, hence the error
"packet should not have been decrypted". GW2 thinks that this packet shoud have come in clear and not
encrypted.
To fix this - take the relevant service out of the excluded services so that the configuration matches what
is configured on GW1.
Issue:
VTI error "encryption failure: Clear text packet should be encrypted"
Potential Solution:
Edit the $FWDIR/conf/vpn_route.conf file on the SmartCenter, and declare each gateway's local
domain to itself.
Example:
Suppose you have two gateways or clusters with VTI tunnels configured. One is named "satellite" and
the other is named "center"
Create two groups. One group will contain all of the "satellite" internal networks that participate in the
tunnel, and the other group will contain all of the "center" internal networks that participate in the tunnel.
Verifying
Ensure you can communicate between the sites both ways.