CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 15 of 15

Thread: Check Point (R71) to Cisco (8.3) IPSEC VPN

  1. #1
    Join Date
    2007-07-27
    Posts
    153
    Rep Power
    13

    Default Check Point (R71) to Cisco (8.3) IPSEC VPN

    Hi All,

    I am trying to setup a vpn between two remote locations (ASA_1 and ASA_2) and a central location (CP_Cluster). The remote locations talk through the central location to communicate. Central location hosts all the core business services and internet breakout.

    Configuration is as follows:

    CP_Cluster (R71)- ext interface = 10.1.100.1
    encryption domain=
    10.1.1.0/24
    10.1.2.0/24
    10.1.3.0/24
    10.1.4.0/24
    10.1.5.0/24
    VPN community = pre shared key, aes-256-sha, one vpn tunnel per subnet pair and routing for satellites to centre, or though centre to other satellites, to internet and ovther vpn targerts.

    ASA_1 (Cisco ASA 5510 8.3(1))- ext interface = 10.1.100.2
    encryption domain=
    10.90.0/24
    10.100.0/24

    ASA_2 (Cisco ASA 5510 8.3(1))- ext interface = 10.1.100.3
    encryption domain=
    10.1.170.0/24
    10.1.180.0/24
    10.1.190.0/24
    192.168.10.0/24

    Th VPN comes up and i can pass traffic (albeit sometimes intermittently). However, on all three firewalls (CP_Cluster, ASA_1 and ASA_2) i get various errors intermittently:

    on CP_CLuster i get:

    IKE: Quick Mode Received Notication from Peer: invalid id information
    IKE: Quick Mode Sent Notification payload malformed
    encryption failure: no response from peer.
    encryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information

    on ASA_1 and ASA_2 i get:

    [IKEv1]: Group = 10.1.100.1, IP = 10.1.100.1, QM FSM error (P2 struct &0xb0969630, mess id 0xca7970ef)!
    [IKEv1 DECODE]: Group = 10.1.100.1, IP = 10.1.100.1, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
    [IKEv1]: Group = 10.1.100.1, IP = 10.1.100.1, Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
    [IKEv1]: Group = 10.1.100.1, IP = 10.1.100.1, QM IsRekeyed old sa not found by addr
    [IKEv1]: Group = 10.1.100.1, IP = 10.1.100.1, Static Crypto Map check, checking map = centr_map, seq = 1...
    [IKEv1]: Group = 10.1.100.1, IP = 10.1.100.1, Static Crypto Map check, map = centr_map, seq = 1, ACL does not match proxy IDs src:0.0.0.0 dst:0.0.0.0

    I have ensured the encryption domains are the same on both ends and the fact the VPN does work mean i am getting P1 and P2 negotations successfully.

    What is worrying are the error messages above and the intermittent drops in connectivity.

    Does anyone have any suggestion configurations for a Check Point to ASA VPN? Looked on the net but nothing that is precise and conclusive that will assist me with troubleshooting as well.

    Kind Regards
    Testing-123

  2. #2
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    Two major things to check.

    First make sure the community is set to negotiate on subnet not gateway, then take a look at sk19243 for how to force negotiation to a /24 instead of supper-netting.


    Also see sk42315 for changing IKE Phase I re-negotiation to the Cisco method instead of the RFC compliant method

  3. #3
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    Quote Originally Posted by chillyjim View Post
    Two major things to check.

    First make sure the community is set to negotiate on subnet not gateway, then take a look at sk19243 for how to force negotiation to a /24 instead of supper-netting.


    Also see sk42315 for changing IKE Phase I re-negotiation to the Cisco method instead of the RFC compliant method
    The mistake you make here is is to have VPN between different vendors. In terms of support, it is "best-effort". Different vendors tend to do its own things and bad things tend to happen.

    If the VPN is important to you, use either ALL Cisco or ALL Checkpoint. Do not mix and match. Even if you decide to go with Cisco hardware, stick with either ALL IOS platforms or ASA platforms.
    Don't even mix and match between IOS and ASA. That can be "bad" too :-(

  4. #4
    Join Date
    2005-11-25
    Location
    United States, Southeast
    Posts
    857
    Rep Power
    15

    Default Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    The 0.0.0.0/0.0.0.0 proxy IDs means you have the 'one tunnel per gateway pair' set somewhere.

  5. #5
    Join Date
    2007-07-27
    Posts
    153
    Rep Power
    13

    Default Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    Hi chillyjim,

    Thanks for the KB articles. To confirm i'm reading sk19243 correctly, all these changes must be made on the SmartCentre and not the Gateways? I ask as these file also exist on the Gateway so i guess the policy push must change these values on the gateway.

    I will try sk42315 if the above fails.

    Thanks
    Testing-123


    Quote Originally Posted by chillyjim View Post
    Two major things to check.

    First make sure the community is set to negotiate on subnet not gateway, then take a look at sk19243 for how to force negotiation to a /24 instead of supper-netting.


    Also see sk42315 for changing IKE Phase I re-negotiation to the Cisco method instead of the RFC compliant method

  6. #6
    Join Date
    2007-07-27
    Posts
    153
    Rep Power
    13

    Default Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    Hi cciesec2006,

    Thanks for the reply.

    If i had a choice then i would go with your suggestion. I'm doing some resiliency work after i get the initial vpn working and all cisco asa firewalls would mean i could make use of DPD. (site a and site b will have a direct backup link)

    On R55 with Cisco ASA 7.0(2) i didn't have this many problems and have had VPN's working without drops. I don't believe the software versions have introduced any major changes but can't explain the intermittent drops.


    Thanks
    Testing-123

    Quote Originally Posted by cciesec2006 View Post
    The mistake you make here is is to have VPN between different vendors. In terms of support, it is "best-effort". Different vendors tend to do its own things and bad things tend to happen.

    If the VPN is important to you, use either ALL Cisco or ALL Checkpoint. Do not mix and match. Even if you decide to go with Cisco hardware, stick with either ALL IOS platforms or ASA platforms.
    Don't even mix and match between IOS and ASA. That can be "bad" too :-(

  7. #7
    Join Date
    2007-07-27
    Posts
    153
    Rep Power
    13

    Default Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    Hi alienbaby,

    Thanks for the reply.

    My setting have always been 'one tunnel per subnet'. I've seen this when the encryption domain are incorrectly set on the CheckPoint but i've doubled checked them.

    Will report my findings next week when i have another bash at it. In the meantime i'm trying to get hold of some test kit to play with.

    Thanks
    Testing-123

    Quote Originally Posted by alienbaby View Post
    The 0.0.0.0/0.0.0.0 proxy IDs means you have the 'one tunnel per gateway pair' set somewhere.

  8. #8
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    Quote Originally Posted by Testing-123 View Post
    Hi chillyjim,

    Thanks for the KB articles. To confirm i'm reading sk19243 correctly, all these changes must be made on the SmartCentre and not the Gateways?
    Yes, changes made on the SmartCenter.

  9. #9
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    Quote Originally Posted by cciesec2006 View Post
    If the VPN is important to you, use either ALL Cisco or ALL Checkpoint. Do not mix and match. Even if you decide to go with Cisco hardware, stick with either ALL IOS platforms or ASA platforms.
    Don't even mix and match between IOS and ASA. That can be "bad" too :-(
    Sigh....If only the real world (tm) would allow such.

    PS. Apparently one of the IOS/ASA interoperability problems is the one discussed in sk42315. An ASA will expire/re-negociate Phase I SA but leave the Phase II SAs in place (Or so a partner just told me).

  10. #10
    Join Date
    2006-09-26
    Posts
    3,194
    Rep Power
    17

    Default Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    Quote Originally Posted by chillyjim View Post
    Sigh....If only the real world (tm) would allow such.

    PS. Apparently one of the IOS/ASA interoperability problems is the one discussed in sk42315. An ASA will expire/re-negociate Phase I SA but leave the Phase II SAs in place (Or so a partner just told me).
    Cisco is getting bad too in term of VPNs as well. Apparently it is fixed in one ASA version but broken in the next release, similar to Checkpoint HFAs :-(

    Here is a good one: On the ASA platform, you can configure "per tunnel" to use nat-traversal but this can NOT be done on the IOS platforms. Nice work Cisco.

    It's like the right hand doesn't know what the left hand is doing.

  11. #11
    Join Date
    2007-07-27
    Posts
    153
    Rep Power
    13

    Default Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    I've edited the two files stated in sk19243 on my SmartCentre and pushed the policy. Should this not update the same files on the Gateway? It hasn't and i do have SIC and can push firewall rule changes successfully (fw stat confirms this).

    I haven't setup an communities/peer gateways/rules for the VPN traffic/subnets.

    Quote Originally Posted by chillyjim View Post
    Yes, changes made on the SmartCenter.

  12. #12
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    17

    Default Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    No all the info is complied into the policy not distributed as files.

  13. #13
    Join Date
    2006-02-09
    Location
    Charleston, SC
    Posts
    1,172
    Rep Power
    16

    Default Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    Quote Originally Posted by chillyjim View Post
    No all the info is complied into the policy not distributed as files.
    Which does, of course, mean that one must actually push policy to distribute the changes.
    There's no place like 127.0.0.1

  14. #14
    Join Date
    2007-07-27
    Posts
    153
    Rep Power
    13

    Default Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    Hi All,

    Just an update to say i got the VPN working and itís been stable for a week now.

    Some tips for those who might come across this thread:

    1 - sk19243 -- implement
    2 - sk42315 -- implement
    3 - Ensure the Cisco and Check Point encryption domains include the VPN peer address.
    4 - Do not use PFS (i could not get it working)
    5 - I found the Cisco crypto debugs more useful than the IKE.elg logs when troubleshooting.
    6 - If you're at design stage try to avoid multi-vendor lan-2-lan vpn setup especially if you need some dynamic failover.

    Kind Regards
    Testing-123

  15. #15
    Join Date
    2011-12-22
    Posts
    12
    Rep Power
    0

    Default Re: Check Point (R71) to Cisco (8.3) IPSEC VPN

    Quote Originally Posted by chillyjim View Post
    Two major things to check.

    Also see sk42315 for changing IKE Phase I re-negotiation to the Cisco method instead of the RFC compliant method
    Thank you, thank you, thank you....

Similar Threads

  1. one way tunnel? Site-to-site IPSec, Cisco router to R71
    By dfriedl in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 7
    Last Post: 2011-01-13, 22:33
  2. Cisco NAC & Check Point VPN.
    By Routerkid1 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2009-10-09, 14:42
  3. VPN tunnel fails between check point firewall and cisco router
    By rohith.v in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2009-07-08, 09:55
  4. Traditional mode VPN between Check Point and CISCO
    By gladiatorkev in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2008-09-25, 11:44
  5. Issue with L2L VPN between Check Point and Cisco VPN 3015
    By ryderse in forum Interoperability
    Replies: 4
    Last Post: 2008-08-20, 13:47

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •