Issues in site-to-site VPN b/w Checkpoint R65 and Netscreen

[dreambuddy]

Dear Fellow members,

We are trying to establish VPN tunnel with one of our customer having Netscreen at their end. Ours in NGX R65 with HFA02 & HF_602.

Local encryption domain is 172.20.4.0/28
Remote encryption domain is 10.2.0.0/18

When we tried pinging from one of the machines in local Enc Domain to Remote Enc domain, we see Only phase 1 is coming up, phase 2 is not completing.

CP tracker shows, no Valid SA, whereas Netscreen logs shows No policy exists for the proxy ID received.

I tried all the three option under tunnel management:

1)SA creation per host. ( IKeview logs shows it's perfect, Checkpoint proposes SA for individual hosts only for local Network against remote subnet (10.2.0.0/18).Same is also established from Netscreen logs also, but fails at their end also saying that no policy exists for recd. proxy ID.

2) Similarly tried unique SA per subnet, in this also IKEview shows that for Quick Mode packet 1, it proposes SA creation between 172.20.4.0/28 and 10.2.0.0/18. Netscreen logs too establish that the either encryption domains are perfect, but failing due to no local policy for recd. proxy ID.

In both the cases, Ikeview shows that Checkpoint box hears nothing back from Netscreen end.No Quick Mode packet 2 recd. from peer.

3) If we choose SA between GW to GW, then checkpoint sends local enc domain as 0.0.0.0, hence failing.

Please suggest, how to make it work. It do came up once customer end initiated traffic from his end. Maybe because Checkpoint is loose in checking the network masks.
Could not able to capture logs as we have to stop for the day. Will resume the testing tommorrow.

Your valuable feedback will be highly appreciated.

Regards,
-=KIK=-

[tdvit]

is your checkpoint rule base simplified or traditional?

[msjouw]

Dreambuddy,

This site has helped me quite a bit when trying to setup intervendor IPsec tunnels: Documentation Profiles for IPsec Interoperability
They have a standard profile for a lot of different types of devices among others Netscreen and Checkpoint.

Regards, Maarten.

[dreambuddy]

Thanks msjouw for such a nice resourceful link.

Thanks Tdvit for your reply. We have resolved this issue. The issue was at Netscreen end. That guy has configured PFS at his end in Phase 2 (g2-esp-aes128-sha), which was causing the issue.
Since Smartview tracker showed Packet Encrypted once while initially testing the connectivity. This is when we generated traffic from our end and tunnel used to come always when Netscreen guy used to generate traffic from his end. So we derived the conclusion that something to do with the subnet proposal only. But netscreen screen logs used to show correct remote proxy IDs ( my ENcryption domain).
While we used to get notification for Quick Mode Packet 1 from peer as " No Proposal Chosen", but just like that we didn't tallied parameters as we thought that tunnel used to come when other guy is generating traffic, hence parameters would not be an issue. This assumption delayed the troubleshooting.

Regards.
-=KIK=-

[tdvit]

yeah the netscreens are very temporamentle with VPN's to checkpoint. I had to get one up and running for customer on friday and they insisted the rulebase was simplified. they would not try get it going with traditional rule base so I obliged but we still had lots of issues. it required the encryption domain that we were using for the netscreen on our side was a subnet as opposed to hosts but they needed to lots of fidding with the netscreen.

the netscreen engineer was saying the reason it will not work with traditional was because for each seperate tcp connection created a seperate sa is also created! (bull!) but customer who had me onsite did not want to waste any time trying to get it working with traditional so we went ahead and converted rule base to simplified.

[dreambuddy]

Tdvit,
Based on my recent tryst with Netscreen ( some SSG model..), I could summarize my experience as follows :-

1) Netscreen doesn't have an option to club multiple networks or hosts or may be discontiguous hosts as proxy IDs (Encryption domain). It has to be either individual network or host. It's not that flexible as Checkpoint, wherein we could define anything as encryption domain.

2) Always insist on Simplified mode in Checkpoint. This should be the way to go. We are on NGX nowadays not on FW 4.1

3) In simplified mode under Tunnel properties, we have options to have IPSEC SA based on individual hosts ( avoid this, if not required.. comes heavy on CPU), SA based on network range ( One SA for whole network) and SA between Gateway to Gateway ( for netscreen it didn't worked for me.. my end CP box proposes 0.0.0.0 as my subnet information).

_________________________________________

Now for Netscreen you have to work by keeping Point 1 constraint in mind and see what is the local and remote Encrption domains.

Choose appropriately Tunnel Properties.. e.g if you have 172.16.1.0/24 as your local Enc domain and 192.168.1.0/24 as your remote Enc. domain, so make sure Netscreen guy configures ditto remote proxy ID as 172.16.1.0/24 and you choose SA per subnet to subnet.
Once that is done, make sure CP is also proposing 172.16.1.0/24 as local Enc domain, while you generate traffic from your end to Netscreen. It do happens sometimes that Checkpoint proposes Local network as a summarised network (classful) i.e 172.16.0.0/16. Be beware.. a well known CP behaviour.

I'll try to share CP VPN Interoperatibility doc if I found the link. have it sometime back. Pls note you cann't make SA per host here because in that case your individual hosts (/32) will be proposed by Checkpoint and netscreen was expecting 172.16.1.0/24, hence it would fail Phase 2. Netscreen is particular about it.

Above all findings are based on my experience with Netscreen, maybe I could be slightly wrong somewhere in my assumption, hence putting this disclaimer in the last :-)).

Regards, -=KIK=-

[chillyjim]

Quote:

Originally Posted by dreambuddy

2) Always insist on Simplified mode in Checkpoint. This should be the way to go. We are on NGX nowadays not on FW 4.1

Boy I want you as a customer. I have one that instead of going to simplified mode (right now the only VPN is remote access) he bought a netscreen because "Check Point's VPN is broken".