Support Center > Search Results > SecureKnowledge Details
SIP/MGCP packets that should be encrypted are sent in clear text when SecureXL is enabled on R75.40VS
Symptoms
  • VoIP call can not be established over VPN tunnel.

  • Relevant only for R75.40VS.

  • Disabling SecureXL on the sending (located near the caller) R75.40VS VPN Security Gateway resolves the issue.

  • SmartView Tracker shows that receiving (located near the called party) VPN Security Gateway drops SIP/MGCP packets with 'Clear text packet should be encrypted' log (such log might not be displayed because clear text packets might not be routable due to private source IP addresses).
Cause

SecureXL on R75.40VS Security Gateway can not process SIP/MGCP packets that should be encrypted.


Solution

Check Point offers a hotfix for this issue.

  1. Hotfix has to be installed on Security Gateway.

  2. On Gaia OS: Download and install the updated version of the Gaia Software Updates Agent:

    1. Download the package with updated version of Gaia Software Updates Agent from sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent) - section "(3) Latest build of CPUSE and What's New". 

    2. Transfer the updated Gaia Software Updates Agent package (DeploymentAgent_<version>.tgz) to Security Gateway into /some_path_to_updated_DA/ directory.

    3. UnPack the Gaia Software Updates Agent package:

      [Expert@HostName]# cd /some_path_to_updated_DA/
      [Expert@HostName]# tar xvfz DeploymentAgent_<version>.tgz

    4. Stop the Gaia Software Updates Agent service:

      [Expert@HostName]# $DADIR/bin/dastop
      [Expert@HostName]# dbget installer:stop

    5. Install the Gaia Software Updates Agent RPM:

      [Expert@HostName]# rpm -Uhv --force CPda-00-00.i386.rpm

    6. Start the Gaia Software Updates Agent:

      [Expert@HostName]# $DADIR/bin/dastart


  3. Download the relevant hotfix package(s):

    1. First hotfix package (Hotfix_BASE_006).

      Hardware / Appliance Version Link
      Any (except 21600 / 21700*) R75.40VS (TGZ)
      * Note: Appliances arriving from Check Point with pre-installed R75.40VS, already include this hotfix - refer to sk86382.

    2. Second hotfix package (Hotfix_HA06_017 / Hotfix_G70_012_004).

      Hardware / Appliance Version Link
      Any (except 21600 / 21700) R75.40VS (TGZ)
      21600 / 21700 appliances R75.40VS (TGZ)


  4. Transfer the hotfix packages to the Security Gateway (e.g., into /some_path_to_fix/ directory):

    • Any hardware platform (except 21600 / 21700 appliances):

      Important note: The two hotfix packages have to be placed into separate directories.

      • Transfer the First hotfix package (fw1_wrapper_HOTFIX_R75.40VS_HF_BASE_006.Gaia_SecurePlatform.tgz) into /some_path_to_fix_1/ directory.

      • Transfer the Second hotfix package (Check_Point_R75.40VS_Hotfix_HA06_017_sk92814.tgz) into /some_path_to_fix_2/ directory.


    • 21600 / 21700 appliances:

      Transfer the Second hotfix package (Check_Point_R75.40VS_Hotfix_G70_012_004_sk92814.tgz) into /some_path_to_fix/ directory.


  5. Unpack the hotfix package(s):

    • Any hardware platform (except 21600 / 21700 appliances):

      1. First hotfix package:

        [Expert@HostName]# cd /some_path_to_fix_1/
        [Expert@HostName]# tar xvfz fw1_wrapper_HOTFIX_R75.40VS_HF_BASE_006.Gaia_SecurePlatform.tgz

      2. Second hotfix package:

        [Expert@HostName]# cd /some_path_to_fix_2/
        [Expert@HostName]# tar xvfz Check_Point_R75.40VS_Hotfix_HA06_017_sk92814.tgz


    • 21600 / 21700 appliances:

      • Second hotfix package:

        [Expert@HostName]# cd /some_path_to_fix/
        [Expert@HostName]# tar xvfz Check_Point_R75.40VS_Hotfix_G70_012_004_sk92814.tgz


  6. Install the hotfix(es):

    • Any hardware platform (except 21600 / 21700 appliances):

      Important Note: It is crucial to install the hotfixes in the given order - first 'HF_BASE_006', second 'HA06_017'. 

      1. First hotfix package:

        If in VSX mode, then you must switch to context of VS0:
        [Expert@HostName]# vsenv 0
        [Expert@HostName]# cd /some_path_to_fix_1/
        [Expert@HostName]# ./fw1_wrapper_HOTFIX_GIZA_HF_BASE_006_<BUILD_NUMBER>

        Note: do NOT reboot yet.

      2. Second hotfix package:

        If in VSX mode, then you must switch to context of VS0:
        [Expert@HostName]# vsenv 0
        [Expert@HostName]# cd /some_path_to_fix_2/
        [Expert@HostName]# ./fw1_wrapper_HOTFIX_GIZA_HF_HA06_017_<BUILD_NUMBER>


    • 21600 / 21700 appliances:

      • If in VSX mode, then you must switch to context of VS0:
        [Expert@HostName]# vsenv 0
        [Expert@HostName]# cd /some_path_to_fix/
        [Expert@HostName]# ./fw1_wrapper_HOTFIX_GIZA_HF_G70_012_004_<BUILD_NUMBER>


  7. Reboot the machine.

 

If the issue with establishing a VoIP call over VPN tunnel persists, then contact Check Point Support for assistance.

Applies To:
  • 01025439 , 01144173 , 00974086 , 01094332 , 01168688

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment