Support Center > Search Results > SecureKnowledge Details
Traffic stops passing in Site-to-Site VPN tunnel, IKE is succesful, VPN tunnel is up and uses NAT-T Technical Level
  • Traffic stops passing between two Site-to-Site VPN Gateways.
  • IKE is successful. The VPN tunnel is up and uses NAT-T. On the CLI of a Check Point VPN Gateway, output of [Expert@HostName]# vpn tu tlist -p shows a "Tunnel-created" timestamp.
  • In the encryption domain of a VPN Gateway, a Security Gateway with a PPPoE interface sends traffic to the encryption domain of the peer VPN Gateway, but does not receive a reply.
  • On the Security Gateway with the PPPoE-Interface, the FW-Monitor Utility shows:
    1. Incoming in clear and going through the pre-inbound and post-inbound chains ('Small 'i', Big 'I').
    2. Going out and getting encrypted on the pre-outbound and post-outbound chains ('Small 'o', Big 'O', Encrypt-before 'Oe', Encrypt-After 'OE').
    [Protip: Use the '-p all' flag with FW-Monitor to view the full chains of inspection]
  • "tcpdump" (OSI Layer 2) does not show NAT-T traffic leaving the Security Gateway with a PPoE interface. "tcpdump" also does not show NAT-T traffic entering the the peer VPN Gateway.
  • Kernel-level debugs on the Security Gateway with a PPPoE interface show this syntax:
    [cpu_1];[fw4_0];fw_ipsec_encrypt_on_tunnel_instance: encryption successful;
    [cpu_1];[fw4_0];skbuff_packet_update_dev_ex: replacing eth0 with pppoe1;
    [cpu_1];[fw4_0];fwlinux_netfilter_deliver_packet: delivering packet: 
    [cpu_1];[fw4_0];Device pppoe1 ,(PPPoE-Interface Gateway's external IP)->(Peer-Gateway IP), UDP 4500->4500;
As part of the routing decision in the NAT-Traversal (NAT-T) mechanism, the Security Gateway adds a MAC Address header to the packet. 

In a point-to-point setup, the Security Gateway with a PPPoE Driver adds a MAC header to the packet before it sends it to the external interface. This causes a duplicate MAC header and thus a corrupted packet. As a result, the packet is encrypted but does not leave the interface as expected.
Note: To view this solution you need to Sign In .