02-18-2009 01:46 AM
Hi.
We observe a strange behaviour on vpn between Cisco Router (LAN A) and Checkpoint (LAN B).
More details:
* checkpoint secureplatform NGX R65 HFA_30, Hotfix630 Build 007
* Cisco Router 2801 with IOS c2801-advsecurityk9-mz.124-2.T.bin
In vpn host-to-site (Cisco-Checkpoint) on these appliance, some hosts in LAN B (behind Checkpoint) are unreachable.
When one of these unreachable hosts in LAN B ping the host in LAN A, they became reachable.
Checkpoint's VPN Domain and router's crypto map access lists are correctly aligned.
Checkpoint Tunnel Management is configured as 'One VPN tunnel per subnet pair'; also SolutionID sk16536 was applied to avoid network summarization.
"sh crypto ipsec sa" output command from Cisco Router show me a lot of host-to-host tunnel and not host-to-site: is this a normal behaviour?
Host defined in LAN A check every 5 minutes hosts in LAN B; in Checkpoint log I cannot find any info about IKE session goes down.
In attach 'sh crypto ipsec sa.txt' detail.
Is there any best practices for this kind of configuration?
Instead of currently host-to-site, could a site-to-site (with ACL to authorize only LAN A host) configuration solve this trouble?
Regards.
02-18-2009 02:04 AM
Hi,
It's not desirable to have host-to-host SA's between two networks.
This looks to be a enrcyption domain issue, which is common with Checkpoints. The only way to gaurentee the encryption domain behaviour is predictable then please read the Checkpoint "VPN-1 VPN Interoperablity" pdf and use the "subnet_for_range_and_peer" parameter in your user.def file. Match this up with your ACL on the cisco side.
Regards
02-18-2009 02:33 AM
Hi James,
thank you for your quick reply.
> This looks to be a enrcyption domain issue, which is common with Checkpoints. The only way to gaurentee the encryption domain behaviour is predictable then please read the Checkpoint "VPN-1 VPN Interoperablity" pdf and use the "subnet_for_range_and_peer" parameter in your user.def file. Match this up with your ACL on the cisco side.
I've already see this doc: _all_ subnet defined in Checkpoint VPN Domain are interesting for this tunnel, I don't have to define ranges.
Could be Cisco Router and Checkpoint VPN config details useful?
02-18-2009 03:00 AM
""subnet_for_range_and_peer" parameter in your user.def file"
- This is NOT necessarily in Checkpoint NGx.
- Instead "exchange key per subnets", use
"exchange key per hosts",
- Use "vpn debug ikeon" to findout what
going on. Use can use IKEView.exe to
view the debug. It will tell you EXACTLY
what goes wrong.
02-18-2009 06:03 AM
> Instead "exchange key per subnets", use
"exchange key per hosts",
I did that.
> Use "vpn debug ikeon" to findout what
going on. Use can use IKEView.exe to
view the debug. It will tell you EXACTLY
what goes wrong.
Ok, I attach debug in post (file called ike.elg)
VPN seems not-balanced: when I try to reach host behind Checkpoint from Cisco LAN ping is unsuccesful, but when I do the same thing from Checkpoint LAN to Cisco host, host in LAN B became reachable.
I cannot find useful information in IKE debug: is there any interesting info about the traffic?!
02-18-2009 06:54 AM
I looked at the ike.elg file and I am seeing this, assuming that 195.234.232.30 is the
Cisco VPN Peer:
1- The checkpoint sends encryption domain host 192.168.18.176 to encryption domain host 192.168.235.15,
2- The checkpoint receives encryption domain of host 192.168.235.15 to a encryption domain network of 192.168.19.0/24
3- The checkpoint receives encryption domain of host 192.168.235.15 to a encryption domain network of 192.168.18.0/24
4- The checkpoint receives encryption domain of host 192.168.235.15 to a encryption domain network of 10.0.1.0/24
5- Checkpoint sends encryption domain host 192.168.18.3 to encryption domain host 192.168.235.15,
6 - Checkpoint sends encryption domain host 192.168.18.8 to encryption domain host 192.168.235.15,
7- Checkpoint sends encryption domain host 192.168.18.8 to encryption domain host 192.168.235.15,
This is where you have the mis-match in the encryption domain.
02-18-2009 07:03 AM
> This is where you have the mis-match in the encryption domain.
Yep, you're right.
Follow ACL on Router Cisco:
ip access-list extended Checkpoint
permit ip host 192.168.235.15 192.168.19.0 0.0.0.255
permit ip host 192.168.235.15 10.0.1.0 0.0.0.255
permit ip host 192.168.235.15 172.16.100.0 0.0.0.255
permit ip host 192.168.235.15 172.30.10.0 0.0.0.255
permit ip host 192.168.235.15 172.20.20.0 0.0.0.255
permit ip host 192.168.235.15 192.168.18.0 0.0.0.255
Why 5-6-7 SAs are created 'by host'?
02-18-2009 07:49 AM
Are you sure you have the encryption domain
match on both sides? From the debug, I can
clearly that they are NOT.
02-18-2009 08:22 AM
Checkpoint VPN Domain include 6 subnet, but only 3 of these are listened in Security Tab.
We're updated cryptomap access-list on Cisco sides (now there are only these 3 subnets defined in CP 'Security Tab'), and actually all hosts became reachable.
Is this config up to you?
02-18-2009 09:25 AM
"but only 3 of these are listened in Security Tab."
that's just the access rules. Got
nothing with the Encryption domain.
The problem wit Checkpoint VPN is that
the encryption domain is not a flexible
as Cisco IOS devices. in Cisco IOS, the
encryption domain is defined as
"interesting" traffics and that you can
have different "interesting" traffics
ACL for different tunnels.
Not so in Checkpoint. it's a bit harder
to get it right in Checkpoint.
Anyway, your config looks good, unless
one of the 3 subnets on the CP side
decide to talk to your network behind
the routers which is not part of the
encryption domain and you will be in
trouble, again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide