cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8563
Views
0
Helpful
22
Replies

problems with site to site VPN

greg-bnets
Level 1
Level 1

Hi there i have a problem with a site to site connection with a company we work with. The company works with a checkpoint ngx-1 R65 en we work with Pix. The thing is that we VPN comes up. I can ping host at the company side and traffic is flowing. The company cannot access us only when we start a ping from our side only after that they can access us. We also got some socket errors on one of our apps when connecting to them.

i have debug logs attached. One is when we are sending pings to them (debug ourside.txt). and on were they are sending pings to us (debug company ping.txt .

22 Replies 22

kevin.jones1
Level 1
Level 1

ok,

the solution is a very simple one.

1) make sure that you do not NAT inside

the vpn tunnel on the checkpoint side.

In checkpoint VPN community, I am assuming

that you're using simplified mode, there

is a check box that tell you to disabble NAT

inside VPN tunnel.

2) checkpoint will tend to supper net the

interesting traffic whenever possible. I am

suspecting that is the case because it only

works once you start pinging the other side.

When the tunnel timeout, it will not work

if traffics is initiated from the other side.

To fix this, please advise the other company

to do the following:

in the VPN community properties, go to

tunnel Management, look into the "VPN

Tunnel Sharing", select "one vpn tunnel

per each pair of hosts". The default is

"one vpn tunnel per subnet pair". After that

push the policy and likely it will work after

that.

this method is not efficient but this method

is widely used when setting VPN between Checkpoint and Cisco/Juniper.

Finally, if all else fails, you may

have to go into the $FWDIR/lib of the CMA

or management and modify the user.def file.

Let me know if it works for you.

Keven,

Thanks for your reply. I contacted the company but still the same reult. Only after i started pinging they could ping us. Before that they would get "no valid SA"in their log but nothing showing up in de debug on my side. attached is the complete debug when we tested just now.

The problem is that you have phase II

mis-matched when checkpoint initiates

traffics first:

(key eng. msg.) dest= 10.10.40.1, src= 200.x.x.138,

dest_proxy= MNS/255.255.255.255/0/0 (type=1),

src_proxy= DIGICELNW1/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

I've been working with both Checkpoint firewalls and Cisco Pix/IOS for about 7

years now and checkpoint is doing

suppernet on its side. That's why it fails.

Tell the folks on the Checkpoint side to run

"vpn debug ikeon" and you the utility IKEView.exe to view the debug and it will tell

you why it fails.

I've been working with both Checkpoint firewalls and Pix/IOS for about seven years now and what you see is quite typical for VPN

between checkpoint and Cisco. Use my method in previous post and it will work.

If you want to chat, put your phone here and

I will call you.

Kevin,

Checkpoint support stated that everything is good on their side. What i forgot to mention is that my pix is behind a router. i use a private address 10.10.40.1 which i nat to the public address of the outside interface out the router. They tell me that i have no static nat for inbound traffic sending IPsec traffic to the pix. Attached is the router config. Can you check it for me. The thing is when they are trying to ping first i don't see anything in de debug. also the hosts behind the firewall are nat to 10.10.40.X on the router 10.10.40.0 is nat to the public address on the outside interface. so the topology is

DMZ--> PIX----> router (3725) --->Internet--> FW checkpoint.

Thanks for helping me out. my phone number is +597-8595355

Ok now I have a better picture of what you

want to do.

Checkpoint TAC supports is correct. In order

for this to work, you need to have static

NAT for inbound traffic to send traffic to the

Pix. In your case, since you have nat everything to the public address of the outside interface so you may not have anymore

public ip addresses available. In that case,

I would do the following on the router:

ip nat inside source static udp 10.10.40.1 interface FastEthernet0/1 500

ip nat inside source static esp 10.10.40.1 interface FastEthernet0/1

In other words, you are telling the router to

forward isakmp/500 and esp traffics from

interface F0/1 on the router to the Pix.

This will allow the checkpoint to communicate

with your Pix firewall and it will work like

a charm. Make sure on the Checkpoint side,

the InterOperable Device is setup with an

ip address of 200.X.X.19. Don't forget to

tell them to re-push the policy after they

are done.

I learned about this method while preparing

for the CCIE security lab two years ago. Funny thing is that I am CCIE security certified but I know more about Checkpoint

technologies and I do with Cisco.

Let me know if this works for you.

Kevin,

Your a big help so far

There was a typo in the command.

but i changed it.

ip nat inside source static udp 10.10.40.1 500 interface FastEthernet0/1 500

instead of

ip nat inside source static udp 10.10.40.1 interface FastEthernet0/1 500

It worked. Now the company can start aping on its own. But the thing is only one host on his side can ping to my. We can't ping each other simultaneously. I also see a malformed payload in de debug. Attached the debug file. Can you help out on this.

My consulting rate is $250/hour and I think

the fee is quite reasonable since you're

getting someone who is knowledgeable with

both Cisco and Checkpoint technologies. J/K.

I am going to assume that the Checkpoint

External IP address is 200.1.211.138. Your

Pix external ip address is 10.10.40.1/24?

what is your interesting traffics? Show me

your ACL address outside1_cryptomap_20.

What is the checkpoint defined in its Local

Encryption Domain? What is the remote encryption

domain defined in the InterOperable Device for

the Pix device in Checkpoint?

It looks to me like you do not have the encryption

match between checkpoint and Cisco. That's why

it is not working as it should.

One other thing I notice is that you should change

isakmp policy 20 lifetime 28800 to "isakmp policy 20

lifetime 86400" and "crypto map outside1_map 20 set

security-association lifetime seconds 7200" to

"crypto map outside1_map 20 set security-association

lifetime seconds 3600" so that it will match with the

default setting on the Checkpoint side.

In order for me to help you, I need to see your pix

configuration ACL and the entire configuration, not

piecemeal. It looks to me like you've misconfiguration

on your Pix side. Until I can see your pix configuration,

very hard to go on from there

Keven,

I will change the isakmp policy 20 lifetime to 86400 and the security-association lifetime seconds to 3600. attached is my config of the pix. The outside 10.10.40.1 of the pix is nat to 200.X.X.19 on the router side

I appreciate your help and i certainly know what you are worth.

Here is what I recommend:

1) On the Checkpoint side, tell the checkpoint TAC person to include only host 10.10.40.5/32 and 10.10.40.6/32 for the encryption domain

of the Pix Inter-Operable Device

2) On the checkpoint side, tell the checkpoint TAC person to include digicel0, digicel3, digicel4, digicel5, digicelnw1 in his

checkpoint local encryption domain,

3) make sure everything in the VPN setting maches on both sides, INCLUDING Perfect

Forward Secrecy (PFS). There is a checkpoint

in the checkpoint vpn community for that,

Looking at your configuration more carefully,

what you're trying to do will not work

because you're terminating VPN on the outside1

interface (10.10.40.1) and your interesting

traffics is on 10.10.40.5 and 10.10.40.6.

Remember this is a Pix firewall NOT cisco IOS

so what you're trying to do, I do not think will work. The interesting traffics should

be network not on the same interface as outside1.

Keven,

The Checkpoint is configured with VPN connections to other parties as well so the encryption domain could not only consists with my hosts in it.There other settings you suggested are also in place. Host 10.10.40.5 and 10.10.40.6 are actually on the inside of the pix. (having 10.100.10.91 Nat to 10.10.40.5 and 10.100.10.92 nat to 10.10.40.6 on the outside1 interface. The thing is before we implemented the inbound nat rule on the router we could ping each other simultaneously. Only i had to start pinging first. Now only one host can ping. So this is strange.

Is there a possible work around for this?

Thanks again

Checkpoint local encryption domain can contain

other network besides 10.10.40.5 and 10.10.40.6.

What I am referring is the Pix Interoperable

device encryption domain. It can contains only

host 10.10.40.5 and 10.10.40.6.

You said:

"Host 10.10.40.5 and 10.10.40.6 are actually on the inside of the pix. (having 10.100.10.91 Nat to 10.10.40.5 and 10.100.10.92 nat to 10.10.40.6"

if that is the case then you need to REMOVE this line:

no nat (inside) 0 access-list inside_outbound_nat0_acl

because this line says NOT TO NAT 10.10.100.91 and 10.10.100.92 when going to the checkpoint side. Therefore you are telling the checkpoint side that your interesting is

actually 10.10.100.91 and 10.10.100.92 and NOT 10.10.40.5 and 10.10.40.6

remove this line and it will work.

Kevin,

Here is the thing I entered the following command on the PIX

no nat (inside) 0 access-list inside_outbound_nat0_acl

What happens now it that i can ping for instance 172 .24.197.10 (company)from 10.10.40.6 and the company can ping 10.10.40.6 just fine. I did this test continuously pinging to each other. Now i started to ping 172.20.41.199 also. I got timeouts. Only when i closed the ping to 172 .24.197.10 i could ping x.xx.199 from the company side the same. I looks like we could only ping one host at a time. Strange thing. Any thoughts on that?

Greg,

Here is what I would do:

1) tell the checkpoint guy to perform "vpn tu"

and clear tunnel between the checkpoint and

the pix,

2) what hfa is running on the checkpoint side?

Ask the TAC to run "fw ver" on the firewall

modules and paste in the output.

3) is it possible for you to ask the checkpoint TAC person to give you the file

ike.elg file while this error occurs? I can

debug that file and tell exactly what went

wrong.

Kevin,

This is what i got from them.

Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) - Build 430

see the attachment also.

thanks a million

Review Cisco Networking for a $25 gift card