topic Re: problems with site to site VPN in Network Security

problems with site to site VPN

greg-bnets — Mon, 11 Mar 2019 11:35:59 GMT

Hi there i have a problem with a site to site connection with a company we work with. The company works with a checkpoint ngx-1 R65 en we work with Pix. The thing is that we VPN comes up. I can ping host at the company side and traffic is flowing. The company cannot access us only when we start a ping from our side only after that they can access us. We also got some socket errors on one of our apps when connecting to them.

i have debug logs attached. One is when we are sending pings to them (debug ourside.txt). and on were they are sending pings to us (debug company ping.txt .

Re: problems with site to site VPN

kevin.jones1 — Tue, 27 Nov 2007 21:46:05 GMT

ok,

the solution is a very simple one.

1) make sure that you do not NAT inside

the vpn tunnel on the checkpoint side.

In checkpoint VPN community, I am assuming

that you're using simplified mode, there

is a check box that tell you to disabble NAT

inside VPN tunnel.

2) checkpoint will tend to supper net the

interesting traffic whenever possible. I am

suspecting that is the case because it only

works once you start pinging the other side.

When the tunnel timeout, it will not work

if traffics is initiated from the other side.

To fix this, please advise the other company

to do the following:

in the VPN community properties, go to

tunnel Management, look into the "VPN

Tunnel Sharing", select "one vpn tunnel

per each pair of hosts". The default is

"one vpn tunnel per subnet pair". After that

push the policy and likely it will work after

that.

this method is not efficient but this method

is widely used when setting VPN between Checkpoint and Cisco/Juniper.

Finally, if all else fails, you may

have to go into the $FWDIR/lib of the CMA

or management and modify the user.def file.

Let me know if it works for you.

Re: problems with site to site VPN

greg-bnets — Wed, 28 Nov 2007 14:40:06 GMT

Keven,

Thanks for your reply. I contacted the company but still the same reult. Only after i started pinging they could ping us. Before that they would get "no valid SA"in their log but nothing showing up in de debug on my side. attached is the complete debug when we tested just now.

Re: problems with site to site VPN

kevin.jones1 — Wed, 28 Nov 2007 16:02:13 GMT

The problem is that you have phase II

mis-matched when checkpoint initiates

traffics first:

(key eng. msg.) dest= 10.10.40.1, src= 200.x.x.138,

dest_proxy= MNS/255.255.255.255/0/0 (type=1),

src_proxy= DIGICELNW1/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

I've been working with both Checkpoint firewalls and Cisco Pix/IOS for about 7

years now and checkpoint is doing

suppernet on its side. That's why it fails.

Tell the folks on the Checkpoint side to run

"vpn debug ikeon" and you the utility IKEView.exe to view the debug and it will tell

you why it fails.

I've been working with both Checkpoint firewalls and Pix/IOS for about seven years now and what you see is quite typical for VPN

between checkpoint and Cisco. Use my method in previous post and it will work.

If you want to chat, put your phone here and

I will call you.

Re: problems with site to site VPN

greg-bnets — Wed, 28 Nov 2007 21:00:51 GMT

Kevin,

Checkpoint support stated that everything is good on their side. What i forgot to mention is that my pix is behind a router. i use a private address 10.10.40.1 which i nat to the public address of the outside interface out the router. They tell me that i have no static nat for inbound traffic sending IPsec traffic to the pix. Attached is the router config. Can you check it for me. The thing is when they are trying to ping first i don't see anything in de debug. also the hosts behind the firewall are nat to 10.10.40.X on the router 10.10.40.0 is nat to the public address on the outside interface. so the topology is

DMZ--> PIX----> router (3725) --->Internet--> FW checkpoint.

Thanks for helping me out. my phone number is +597-8595355

Re: problems with site to site VPN

kevin.jones1 — Wed, 28 Nov 2007 21:44:44 GMT

Ok now I have a better picture of what you

want to do.

Checkpoint TAC supports is correct. In order

for this to work, you need to have static

NAT for inbound traffic to send traffic to the

Pix. In your case, since you have nat everything to the public address of the outside interface so you may not have anymore

public ip addresses available. In that case,

I would do the following on the router:

ip nat inside source static udp 10.10.40.1 interface FastEthernet0/1 500

ip nat inside source static esp 10.10.40.1 interface FastEthernet0/1

In other words, you are telling the router to

forward isakmp/500 and esp traffics from

interface F0/1 on the router to the Pix.

This will allow the checkpoint to communicate

with your Pix firewall and it will work like

a charm. Make sure on the Checkpoint side,

the InterOperable Device is setup with an

ip address of 200.X.X.19. Don't forget to

tell them to re-push the policy after they

are done.

I learned about this method while preparing

for the CCIE security lab two years ago. Funny thing is that I am CCIE security certified but I know more about Checkpoint

technologies and I do with Cisco.

Let me know if this works for you.

Re: problems with site to site VPN

greg-bnets — Wed, 28 Nov 2007 23:44:27 GMT

Kevin,

Your a big help so far

There was a typo in the command.

but i changed it.

ip nat inside source static udp 10.10.40.1 500 interface FastEthernet0/1 500

instead of

ip nat inside source static udp 10.10.40.1 interface FastEthernet0/1 500

It worked. Now the company can start aping on its own. But the thing is only one host on his side can ping to my. We can't ping each other simultaneously. I also see a malformed payload in de debug. Attached the debug file. Can you help out on this.

Re: problems with site to site VPN

kevin.jones1 — Thu, 29 Nov 2007 02:03:39 GMT

My consulting rate is $250/hour and I think

the fee is quite reasonable since you're

getting someone who is knowledgeable with

both Cisco and Checkpoint technologies. J/K.

I am going to assume that the Checkpoint

External IP address is 200.1.211.138. Your

Pix external ip address is 10.10.40.1/24?

what is your interesting traffics? Show me

your ACL address outside1_cryptomap_20.

What is the checkpoint defined in its Local

Encryption Domain? What is the remote encryption

domain defined in the InterOperable Device for

the Pix device in Checkpoint?

It looks to me like you do not have the encryption

match between checkpoint and Cisco. That's why

it is not working as it should.

One other thing I notice is that you should change

isakmp policy 20 lifetime 28800 to "isakmp policy 20

lifetime 86400" and "crypto map outside1_map 20 set

security-association lifetime seconds 7200" to

"crypto map outside1_map 20 set security-association

lifetime seconds 3600" so that it will match with the

default setting on the Checkpoint side.

In order for me to help you, I need to see your pix

configuration ACL and the entire configuration, not

piecemeal. It looks to me like you've misconfiguration

on your Pix side. Until I can see your pix configuration,

very hard to go on from there

Re: problems with site to site VPN

greg-bnets — Thu, 29 Nov 2007 13:21:40 GMT

Keven,

I will change the isakmp policy 20 lifetime to 86400 and the security-association lifetime seconds to 3600. attached is my config of the pix. The outside 10.10.40.1 of the pix is nat to 200.X.X.19 on the router side

I appreciate your help and i certainly know what you are worth.

Re: problems with site to site VPN

kevin.jones1 — Thu, 29 Nov 2007 14:47:14 GMT

Here is what I recommend:

1) On the Checkpoint side, tell the checkpoint TAC person to include only host 10.10.40.5/32 and 10.10.40.6/32 for the encryption domain

of the Pix Inter-Operable Device

2) On the checkpoint side, tell the checkpoint TAC person to include digicel0, digicel3, digicel4, digicel5, digicelnw1 in his

checkpoint local encryption domain,

3) make sure everything in the VPN setting maches on both sides, INCLUDING Perfect

Forward Secrecy (PFS). There is a checkpoint

in the checkpoint vpn community for that,

Looking at your configuration more carefully,

what you're trying to do will not work

because you're terminating VPN on the outside1

interface (10.10.40.1) and your interesting

traffics is on 10.10.40.5 and 10.10.40.6.

Remember this is a Pix firewall NOT cisco IOS

so what you're trying to do, I do not think will work. The interesting traffics should

be network not on the same interface as outside1.

Re: problems with site to site VPN

greg-bnets — Thu, 29 Nov 2007 15:16:40 GMT

Keven,

The Checkpoint is configured with VPN connections to other parties as well so the encryption domain could not only consists with my hosts in it.There other settings you suggested are also in place. Host 10.10.40.5 and 10.10.40.6 are actually on the inside of the pix. (having 10.100.10.91 Nat to 10.10.40.5 and 10.100.10.92 nat to 10.10.40.6 on the outside1 interface. The thing is before we implemented the inbound nat rule on the router we could ping each other simultaneously. Only i had to start pinging first. Now only one host can ping. So this is strange.

Is there a possible work around for this?

Thanks again

Re: problems with site to site VPN

kevin.jones1 — Thu, 29 Nov 2007 15:26:18 GMT

Checkpoint local encryption domain can contain

other network besides 10.10.40.5 and 10.10.40.6.

What I am referring is the Pix Interoperable

device encryption domain. It can contains only

host 10.10.40.5 and 10.10.40.6.

You said:

"Host 10.10.40.5 and 10.10.40.6 are actually on the inside of the pix. (having 10.100.10.91 Nat to 10.10.40.5 and 10.100.10.92 nat to 10.10.40.6"

if that is the case then you need to REMOVE this line:

no nat (inside) 0 access-list inside_outbound_nat0_acl

because this line says NOT TO NAT 10.10.100.91 and 10.10.100.92 when going to the checkpoint side. Therefore you are telling the checkpoint side that your interesting is

actually 10.10.100.91 and 10.10.100.92 and NOT 10.10.40.5 and 10.10.40.6

remove this line and it will work.

Re: problems with site to site VPN

greg-bnets — Thu, 29 Nov 2007 16:23:26 GMT

Kevin,

Here is the thing I entered the following command on the PIX

no nat (inside) 0 access-list inside_outbound_nat0_acl

What happens now it that i can ping for instance 172 .24.197.10 (company)from 10.10.40.6 and the company can ping 10.10.40.6 just fine. I did this test continuously pinging to each other. Now i started to ping 172.20.41.199 also. I got timeouts. Only when i closed the ping to 172 .24.197.10 i could ping x.xx.199 from the company side the same. I looks like we could only ping one host at a time. Strange thing. Any thoughts on that?

Re: problems with site to site VPN

kevin.jones1 — Thu, 29 Nov 2007 16:42:17 GMT

Greg,

Here is what I would do:

1) tell the checkpoint guy to perform "vpn tu"

and clear tunnel between the checkpoint and

the pix,

2) what hfa is running on the checkpoint side?

Ask the TAC to run "fw ver" on the firewall

modules and paste in the output.

3) is it possible for you to ask the checkpoint TAC person to give you the file

ike.elg file while this error occurs? I can

debug that file and tell exactly what went

wrong.

Re: problems with site to site VPN

greg-bnets — Thu, 29 Nov 2007 17:20:45 GMT

Kevin,

This is what i got from them.

Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) - Build 430

see the attachment also.

thanks a million

Re: problems with site to site VPN

kevin.jones1 — Thu, 29 Nov 2007 19:12:26 GMT

Tell the checkpoint TAC that they should be

running the latest HFA, like what I have below:

[Expert@NGx_R65-1-P]# fw ver

This is Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) HFA_02, Hotfix 602 - Build 006

[Expert@NGx_R65-1-P]#

Furthermore, when I look at the ike.elg file, everything looks clean.

There is an issue with the tunnel 209.16.112.254 but for the tunnel

200.x.x.19, it looks really clean. Both phase I and phase II looks

really clean so the configuration on both the checkpoint side

and your side is correct. There is one thing I am not seeing in

the checkpoint debug file is the Perfect Forward Secrecy part. Can

you check with checkpoint tac if that is in place?

Last resort will be:

1) upgrade checkpoint to HFA_02. They are on HFA_0 now,

2) upgrade your pix 6.3(4) to 6.3(5),

Or if you like you can setup a VPN tunnel with me. I have

a checkpoint NGx R65 firewall but I am running HFA_02 instead

of HFA_00

Re: problems with site to site VPN

greg-bnets — Thu, 29 Nov 2007 20:30:55 GMT

kevin,

I can't test with you right now. my email address is gregory.tai-apin@bnets.sr Is my pix config alright here? i'm sending you a debug of mine right now. and a new of a test we just did.

i can upgrade my pix but upgrading on the checkpoint side is out of the question they say.

Thanks for the offer.

Re: problems with site to site VPN

kevin.jones1 — Thu, 29 Nov 2007 20:50:33 GMT

Your Pix configuration looks correct.

Are they running Checkpoint on SecurePlatform

or Nokia IP appliance? I remember running

into this issue about two years ago but that

was between my checkpoint NG AI firewall running

on Secureplatform and the other side is a

Cisco IOS router.

I look at the ike10.elg file and everything

looks good on the checkpoint side. Both

phase I and Phase II are properly exchanged.

Re: problems with site to site VPN

greg-bnets — Thu, 29 Nov 2007 20:54:54 GMT

Kevin,

I don't know yet which platform. i will ask them. But have you seen things in de debug 3.txt file? What can you make of it. I will upgrade to 6.3(5) look for the upgrade document online now. As soon as i find it i will upgrade.

Re: problems with site to site VPN

kevin.jones1 — Thu, 29 Nov 2007 21:06:28 GMT

do you have remote access VPN terminate on this

Pix firewall? your IPSec phase II looks

strange with 0.0.0.0/0