Weird problem with external interface...

[RedRat]

Hello! First of all, excuse my English. ;-)

Preface: I am testing now brand-new Nokia IP-350 with CP-1 NGX (R60) as a replacement for our old gateway. My testbed for site-to-site IPSec testings looks like this:

(VPN_2: 10.2.0.0/16) - [int:10.1.0.1] - Nokia - [ext:a.b.c.d] -...- [ext:w.x.y.z] - FreeBSD - [int:10.2.0.1] - (VPN_1: 10.1.0.0/16)

FreeBSD has racoon daemon, installed and configured. In the Traditional Mode everything works perfectly, but in the Simplified Mode there is a weird problem occurs - it seems, that CP-1 trying to encrypt/decrypt packets between a.b.c.d and w.x.y.z, even if i manually define VPN Domain as VPN_2 network only. So, when a FreeBSD trying to establish the IPSec connection, CP-1 complains about "cleartext packet", and vice versa - CP-1 trying to establish a IPSec tunnel even if i just ping a FreeBSD from Nokia.

So, my question is very simple: how to MAKE the CP-1 do not try to encrypt packets between external interfaces in the Simplified Mode?

Thank you in advance.

[Lackie]

By default in a simplified mode VPN, the firewalls are part of the encryption domain. When the two firewalls communicate and don't encrypt the traffic it thinks that it should be as they are in the encryption domain.

I don't think there is a way around this other than using traditional mode or maybe doing a nat when communicating between the two gateways.

[RedRat]

Quote:

Originally Posted by Lackie

By default in a simplified mode VPN, the firewalls are part of the encryption domain.

Do you mean, that external interface of CP-1 (a.b.c.d) is included in the encryption domain anyway, even if i manually designates VPN domain as (VPN_2: 10.2.0.0/16) network only? So, there is no point in defining a VPN domains, because a CP-1 has it's own opinion in this regard. :-/

Quote:

Originally Posted by Lackie

When the two firewalls communicate and don't encrypt the traffic it thinks that it should be as they are in the encryption domain.

Well, traffic between external interfaces of firewalls must be unencrypted anyway, because how else they can handshake each other?

There is a race condition in my case: in order to establish a IPSec tunnel with FreeBSD, CP-1 have to send some raw packets to the UDP 500 port and get answers from it, but instead CP-1 complains, that there is no valid SA for this link. In other words, CP-1 needs already established IPSec tunnel with FreeBSD in order to establish an IPSec tunnel with FreeBSD! :-/

I think, it is too stupid to be a truth! ;-)

[Lackie]

Quote:

Originally Posted by RedRat

I think, it is too stupid to be a truth! ;-)

Believe what you want then....

Snip from Nokia resolution 25331...

By default the Check Point VPN-1 gateway treats the external address of the peer gateway to be part of the remote encryption domain. The address can be excluded from the encryption domain by defining "NON_VPN_TRAFFIC_RULES" INSPECT macros in the "user.def" file. This can be done in the following way:


1. In SmartCenter Server add the following lines at the end of the file $FWDIR\lib\user.def:

#define NON_VPN_TRAFFIC_RULES \
(dst=x.x.x.x)

The address 'x.x.x.x' is the ip address of the remote peer which should be excluded from the VPN-1 gateway's remote encryption domain.
2. Push the policy to VPN-1 gw

As a side note, if you make changes to the user.def file and do an upgrade, you will have to make the changes again as the upgrade will overrite the changes made.

[RedRat]

Quote:

Originally Posted by Lackie

Snip from Nokia resolution 25331...

By default the Check Point VPN-1 gateway treats the external address of the peer gateway to be part of the remote encryption domain. The address can be excluded from the encryption domain by defining "NON_VPN_TRAFFIC_RULES" INSPECT macros in the "user.def" file. This can be done in the following way:

1. In SmartCenter Server add the following lines at the end of the file $FWDIR\lib\user.def:

#define NON_VPN_TRAFFIC_RULES \
(dst=x.x.x.x)

The address 'x.x.x.x' is the ip address of the remote peer which should be excluded from the VPN-1 gateway's remote encryption domain.
2. Push the policy to VPN-1 gw

Thank you very much for a clue!

But there is another problem: after editing the /opt/CPsuite-R60/lib/user.def file and installing the policy to the CP-1 gateway, content of this file is reverted back to the original. :-(

Is this file an automatically generated?

[chillyjim]

Quote:

Originally Posted by RedRat

Thank you very much for a clue!

But there is another problem: after editing the /opt/CPsuite-R60/lib/user.def file and installing the policy to the CP-1 gateway, content of this file is reverted back to the original. :-(

Is this file an automatically generated?

You must edit this on the SmartCenter (Management) server not the gateways. Also there is no garentee that it will survive an upgrade.

[RedRat]

Quote:

Originally Posted by chillyjim

You must edit this on the SmartCenter (Management) server not the gateways.

I think, i missed something important.. :-/

I have only one Nokia IP-350 with SmartCenter and VPN-1 Express onboard. In the /opt directory there is only one file named user.def: /opt/CPsuite-R60/lib/user.def

Can you explain to stupid moron, which file and where he has to edit to make himself happy?

Quote:

Originally Posted by chillyjim

Also there is no garentee that it will survive an upgrade.

Yeah, i'll be aware of it!

[Lackie]

You should be able to edit it using vi. It shouldn't change back when pushing a policy. After you edit it, cat or more the file to ensure that your changes have taken.

[RedRat]

Quote:

Originally Posted by Lackie

You should be able to edit it using vi.

Yes, i can edit it. Actually, i even did it. ;-)

Quote:

Originally Posted by Lackie

After you edit it, cat or more the file to ensure that your changes have taken.

Yes, i am sure - the content is changed and file is saved.

Quote:

Originally Posted by Lackie

It shouldn't change back when pushing a policy.

Maybe, it shouldn't, but it do it anyway! :-(

When i click "Policy -> Install..." in SmartDashboard's menu, content of the file reverted back to the original. And it's a biggest part of my problem! :-(

Is there any other way to workaround this problem? Maybe, "chmod" or something like this? By the way, is it possible to find in the Inet the aforementioned "Nokia resolution 25331"? Google knows nothing about it...

Thanks for your help and patience.

[Lackie]

It's a resolution on the Nokia support site. support.nokia.com. You will need to be registered on the site to get access to it. If you have a support contract from Nokia you can get access.

[RedRat]

Solution of my problem is described in the Solution Document sk30919 on the official Check Point site (registration needed).

Mayby, it would be useful for somebody...

[Lackie]

Good to know. Thanks.