CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 10 of 10

Thread: eBGP with MD5 authentication fails to establish across CP firewall.

  1. #1
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default eBGP with MD5 authentication fails to establish across CP firewall.

    eBGP with MD5 authentication fails to establish across CP firewall.

    I have a very simple scenario without any NAT'ing

    RouterA----CP_SPLAT_NGx_R70.30/R71----RouterB

    Situation #1:
    Firewall rules on firewall is "any any accept account"

    RouterA failed to establish eBGP with routerB. Routers complained
    about MD5 authentication failure

    Situation #2:
    - perform "fw unloadlocal" on the CP firewall,
    - enable the SPLAT for IP routing, echo 1 > /proc/sys/net/ipv4/ip_forward

    Now RouterA and RouterB can establish eBGP with each other without any issues.

    Anyone knows why?

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    15

    Default Re: eBGP with MD5 authentication fails to establish across CP firewall.

    Perhaps the IPS/SmartDefense signature "Non-MD5 Authenticated BGP Connections" is interfering with your traffic? Try turning it off.

  3. #3
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: eBGP with MD5 authentication fails to establish across CP firewall.

    Quote Originally Posted by ShadowPeak.com View Post
    Perhaps the IPS/SmartDefense signature "Non-MD5 Authenticated BGP Connections" is interfering with your traffic? Try turning it off.
    IPS/SMartDefense profile was set to default protection
    Last edited by cciesec2006; 2010-06-03 at 21:38.

  4. #4
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    16

    Default Re: eBGP with MD5 authentication fails to establish across CP firewall.

    Quote Originally Posted by cciesec2006 View Post
    IPS/SMartDefense profile was set to default protection
    What did it log?

  5. #5
    Join Date
    2007-07-16
    Location
    a land down under!
    Posts
    2,015
    Rep Power
    15

    Default Re: eBGP with MD5 authentication fails to establish across CP firewall.

    "If it makes no sense, it's probably SmartDefense...."

    Oh, hang on, it's R7x...

    "If it makes no sense, it's probably IPS...."

  6. #6
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: eBGP with MD5 authentication fails to establish across CP firewall.

    Quote Originally Posted by northlandboy View Post
    What did it log?
    Accept ofcourse. Otherwise, I would know what it's about.

  7. #7
    Join Date
    2014-03-16
    Posts
    1
    Rep Power
    0

    Default Re: eBGP with MD5 authentication fails to establish across CP firewall.

    Hi Guys


    has anyone found a fix to above problem with gaia, i have similar situation and md5 between ebgp generate bad auth error i have tried everything from kee conection while pushing policy to always persistant option no joy

    if i put nat exempt on then bgp comes up but that means ebgp peer on different subnets please need lil assistnace thanks

  8. #8
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: eBGP with MD5 authentication fails to establish across CP firewall.

    Quote Originally Posted by farooq_0923@hotmail.com View Post
    if i put nat exempt on then bgp comes up but that means ebgp peer on different subnets please need lil assistnace thanks
    You need to understand a few things about eBGP:

    1- eBGP & MD5 authentication will NOT work with NAT. This is true whether your firewall is Checkpoint or Cisco. eBGP will work in a NAT environment WITHOUT md5 authentication.

    2- "if i put nat exempt on then bgp comes up but that means ebgp peer on different subnets". In this case, you will be doing eBGP multihop. What is your concerns about eBGP with multihops.

    Seem to me like it is a configuration issue of your BGP and not firewall issues.

    Cisco also has issue with eBGP+MD5 authentication across ASA firewalls as well and the work-around is:

    1- nat exempt,
    2- disable tcp randomize sequence (in checkpoint it is in smartdefense or IPS),

    static (inside,outside) 192.168.1.1 192.168.1.1 netmask 255.255.255.255 non-random nailed

    now you can do eBGP across the ASA firewall with MD5 authentication without any issues because the ASA will not, by default, randomize the TCP sequence, thus breaking BGP peering.

    Easy right?

  9. #9
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,659
    Rep Power
    10

    Default Re: eBGP with MD5 authentication fails to establish across CP firewall.

    Well you haven't said how the tcp packet is changing going through the firewall so until you figure that out your on a search for a needle in a hay stack.

    tcpdump inside and outside interface and start looking from IP up for changes. I think the only thing ignored is the tcp options field, which i think is where the md5sum is stored (could be wrong). Once you figure out what changed then you know what you need to look into and will be free to start the cycle of complaining about support.

  10. #10
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,659
    Rep Power
    10

    Default Re: eBGP with MD5 authentication fails to establish across CP firewall.

    Quote Originally Posted by farooq_0923@hotmail.com View Post
    Hi Guys


    has anyone found a fix to above problem with gaia, i have similar situation and md5 between ebgp generate bad auth error i have tried everything from kee conection while pushing policy to always persistant option no joy

    if i put nat exempt on then bgp comes up but that means ebgp peer on different subnets please need lil assistnace thanks
    Your eBGP speakers don't have to be on the same subnet. All you need to do is turn on ebgp multihop. Your BGP speakers will need routes to each other pointing through the firewall is really the only requirement.

    That being said anything that modifies the tcp/ip packet of bgp session will break BGP MD5 auth (which is why nat or ISN scrambling breaks MD5 auth) so that is why you can't use nat or anything else that will modify the packet.

    Now that i think about it, you guys might want to see if maybe tcp options field is getting cleared.

Similar Threads

  1. FTP over SSL fails with VPN-1/FireWall-1
    By Barry J. Stiefel in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 20
    Last Post: 2014-01-29, 10:59
  2. Replies: 3
    Last Post: 2007-11-02, 06:50
  3. VPN Client R56 fails after Radius authentication
    By dganti in forum SecureClient/SecuRemote
    Replies: 1
    Last Post: 2007-03-30, 02:26
  4. SecureClient fails when behind firewall
    By wizkrz in forum SecureClient/SecuRemote
    Replies: 1
    Last Post: 2006-06-15, 10:58
  5. SecurID Authentication Fails After First Try
    By roadrunner in forum Authentication
    Replies: 0
    Last Post: 2005-08-13, 16:30

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •