One-liner: how to convert CheckPoint netconf.C routes to Gaia/Clish commands

Provided all route metrics are zeroes:

cat /etc/sysconfig/netconf.C | tr '(' ' '| tr ')' ' ' | tr '"' ' '| tr ':' ' ' | tr '\t' ' '| tr -s ' '| sed -e 's/^ //' | sed 's/routes//' | awk '/route/ {printf("set static-route ");} /dest/ {printf("%s ",$2);} /via/ {printf("nexthop gateway address %s ",$2);} /metric/ {print "on"}'

The result:

set static-route 10.13.198.160/27 nexthop gateway address 10.12.12.1 on
set static-route 10.13.198.192/27 nexthop gateway address 10.12.12.1 on
set static-route 192.168.112.0/24 nexthop gateway address 10.12.12.1 on
set static-route 192.168.113.0/24 nexthop gateway address 10.12.12.1 on
set static-route 192.168.114.0/24 nexthop gateway address 10.12.12.1 on
set static-route 192.168.115.0/24 nexthop gateway address 10.12.12.1 on
set static-route default nexthop gateway address 10.0.0.1 on

Encryption failure: Received a cleartext packet within an encrypted connection

Recently I’ve stumbled upon a strange looking site-to-site (CheckPoint R70 to Cisco VPN3k) VPN problem:

Connections from some networks were dropped with the following error:

Encryption failure: Received a cleartext packet within an encrypted connection

The first step was to check the encryption domains for the tunnel. In both GUI and /etc/fw/conf/user.def the encryption domain was the whole class B network, assigned to the company.

Next step was tracing.

Continue reading “Encryption failure: Received a cleartext packet within an encrypted connection”

CheckPoint Firewall policy parsers and converters