Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Checkpoint Encryption Failure

Status
Not open for further replies.
raceman3

raceman3

Technical User
May 14, 2003
27
US
I have a Nortel Contivity VPN Concentrator that establishes a branch office tunnel to a Checkpoint VPN. The tunnel comes up and works fine. The problem is when I try to ftp a file from my host to a host on the remote end the Checkpoint sees my Natted address and drops it with the following message, "encryption failure, wrong peer gateway for decrypted packet". I'm assuming this is a problem on the Checkpoint side since I'm getting there and using the correct address to do so but I don't know why I'm receiving the error
 
Sort by date Sort by votes
It sounds as though the encryption domains are set up as the internal network and not the NATed address of your host. Firewall-1 will only accept decrypted packets that it sees from the remote encryption domain that is defined on the remote firewall object. If it sees a packet come from that VPN peer but after decryption the source is another address (your NATed address) then it will not match the VPN rule and so will be dropped.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
So you're saying it is a configuration issue with the remote firewall object on the Checkpoint which should include the NATed address of the souce as well as the peer?
 
Upvote 0 Downvote
It really depends on how you have both firewalls set up and what you want to achieve. Do you want to NAT VPN traffic between the networks or connect using internal private IPs? Eitherway both firewalls have to be set up to achieve the same thing. If you are NATing traffic from the Nortel end to the Firewall-1 end then the Nortel object on Firewall-1 should have the live address in the encryption domain and the encryption rule in the rule base should allow the NATed address access to network.

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************
 
Upvote 0 Downvote
Thanks for the info, we are NATing the whole way through and my guess is that the Checkpoint has the registed address of the Nortel Contivity as its peer but does not have a rule allowing the NATed address of our internal host in its rule set to permit traffic. Unfortunately the Checkpoint end belongs to one of our vendors so I can't verify their setup
 
Upvote 0 Downvote
When you are using the same address range as the company on the other end of the tunnel you don't have much choice but to NAT
 
Upvote 0 Downvote
Hey Raceman did you resolve this issue.

If not, did you try adding the natted address as part of your encryption domain on the checkpoint end?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

stanlyn
  • Locked
  • Question
Uncoupled Disk Encryption
Replies
0
Views
297
stanlyn
stanlyn
mattbarkerlfc
  • Locked
  • Question
Checkpoint 2200 subnet overlap problem
Replies
0
Views
75
mattbarkerlfc
mattbarkerlfc
J001
  • Locked
  • Question
Checkpoint Upgrade Question
Replies
0
Views
54
J001
J001
NileshB
  • Locked
  • Question
Restarting Checkpoint IP290 firewall and smartcentre
Replies
0
Views
66
NileshB
NileshB
J001
  • Locked
  • Question
Checkpoint NAT question
Replies
0
Views
57
J001
J001

Part and Inventory Search

Sponsor

Back
Top