CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 7 of 7

Thread: IPSEC VPN tunnel problem between checkpoint and Juniper Gateway

  1. #1
    Join Date
    2009-07-07
    Posts
    20
    Rep Power
    0

    Default IPSEC VPN tunnel problem between checkpoint and Juniper Gateway

    Hello,

    I'm working with an old R65 checkpoint version and I must establish an IPSEC VPN Tunnel with a juniper gateway.
    I can establish the tunnel and I see packets incoming to my destination but I have AGE-OUT on my second line FW (Juniper) messages when they must go back.

    It seem they can't go back in the tunnel but I don't know why.

    Could you help me please to troubleshoot this problem ?
    I'm out of idea...

  2. #2
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    257
    Rep Power
    8

    Default Re: IPSEC VPN tunnel problem between checkpoint and Juniper Gateway

    Typical problems in establishing VPN's with 3rd party firewalls are:

    - VPN Domain content does not match the partners definition
    - Phase 1 and Phase 2 IPSec parameters do not match (some guys use minutes and others use seconds for example, default timer settigs may differ, etc.)
    - the Check Point side is a cluster

    Checked?

  3. #3
    Join Date
    2009-07-07
    Posts
    20
    Rep Power
    0

    Default Re: IPSEC VPN tunnel problem between checkpoint and Juniper Gateway

    Quote Originally Posted by slowfood27 View Post
    Typical problems in establishing VPN's with 3rd party firewalls are:

    - VPN Domain content does not match the partners definition
    - Phase 1 and Phase 2 IPSec parameters do not match (some guys use minutes and others use seconds for example, default timer settigs may differ, etc.)
    - the Check Point side is a cluster

    Checked?
    VPN domain : I've modified VPN Domain by deleting the subnet and replacing it with a host but in ikeview, P2 show as ID yet the subnet, why ?
    P1 and P2 seem correct.
    Checkpoint side is a cluster yes.

    In VPN TU CLI command, I see a lot of IKE SA (11).
    When I enter the command 7 (delete all IPSEC + ike sa for a given peer) I see yet the IKE SA.
    Is it normal ?
    Need a reboot ??

  4. #4
    Join Date
    2007-06-04
    Posts
    3,301
    Rep Power
    17

    Default Re: IPSEC VPN tunnel problem between checkpoint and Juniper Gateway

    Check Point"helpfully" decides that it will supernet what it send for the VPN negotiation, so if you specify a number of hosts in the same /24 then the Check Point will send a /24 for the Phase2. If you have two consective /24's then it will send a /23 instead, you can see the picture from this.

    IF you have a Check Point Gateway at the other end then despite you specifies inidividual hosts it will happily accept the /24 sent for Phase2.

    Juniper along with Cisco and probably others don't like this helpfulness from Check Point and so reject the negotiation instead, insisting on either individual /32 or seperate /24 subnets instead as has been specified.

    You end up having to modify the user.def files in $FWDIR/conf to force the correct subnet masking to be sent.

    Check out sk98239 as that lists out which user.def file to modify, where it can be found for the combinations of Management Servers and Gateways managed.

  5. #5
    Join Date
    2009-07-07
    Posts
    20
    Rep Power
    0

    Default Re: IPSEC VPN tunnel problem between checkpoint and Juniper Gateway

    We have put one host on each side and configured "One VPN tunnel per each pair of hosts".
    The tunnel is established, I receive ICMP packets but have AGE_OUT to the return.
    Seem packets are not directed to the tunnel during the return.

    I've noticed something with VPN TU CLI command, I have 12 IKE SA and when I delete ALL IKE SA for this peer gateway, I have yet 12 IKE SA.
    Seem having troubles the gateway ?

  6. #6
    Join Date
    2014-04-01
    Location
    Bath, UK
    Posts
    11
    Rep Power
    0

    Default Re: IPSEC VPN tunnel problem between checkpoint and Juniper Gateway

    In regards to the Check Point supernet issue there is a work around that you can do without editing the user.def files which I discovered when I was having a similar issue.

    If you have a number of hosts that need to be part of the VPN, rather than adding them as hosts, add them as a /32 network. I know this sounds odd, but it stopped my firewall sending a 10.0.0.0/8 because we had a /24 in say 10.1.1.0 and a host in 10.130.1.0.

    Not sure if this is the problem still but thought it might be helpful for someone.

    Regards,
    Sam

  7. #7
    Join Date
    2009-07-07
    Posts
    20
    Rep Power
    0

    Default Re: IPSEC VPN tunnel problem between checkpoint and Juniper Gateway

    Problem is solved.

    I forgot to NAT the VIP in use to NAT the host source to our network.

    Thank you everybody for your help

Similar Threads

  1. HOW TO IDENTIFY TRAFFIC USING IPSEC TUNNEL AND NON TUNNEL TRAFFIC ON CHECKPOINT SMART
    By gbollyd in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 4
    Last Post: 2011-09-21, 09:10
  2. VPN tunnel between Checkpoint and Racoon with IPSec
    By iutgtr in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2011-04-03, 03:34
  3. Replies: 4
    Last Post: 2011-03-31, 17:21
  4. checkpoint to Juniper VPN
    By macbean in forum Interoperability
    Replies: 9
    Last Post: 2011-02-21, 16:18
  5. IPsec vpn tunnel question
    By ultraming in forum Check Point SecurePlatform (SPLAT)
    Replies: 3
    Last Post: 2010-09-16, 21:17

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •