CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 10 of 10

Thread: IPSEC VPN with Amazon VPC

  1. #1
    Join Date
    2006-10-18
    Posts
    53
    Rep Power
    13

    Default IPSEC VPN with Amazon VPC

    Hi

    We are trying to establish a site to site VPN with one of our AWS VPC.
    First we tried with our main site (running Gaia R77) and it worked great.
    Then we have been trying with another branch running UTM Edge NW with firmware 8.2.48n but we cannot establish the tunnel at all. If fails with "Invalid payload type" or sometimes with "possibly a mismatch in the preshared key"
    All the parameter matches, so we are at loss of what it could be
    We managed the Gaia R77 with SmartDashboard, but for the UTM Edge it is just using the web admin pages.

    Has anyone got a similar issue or any idea?
    Are there any extra steps on t UTM using any command lines? Or is it a firmware known issue (we are always hesitant to upgrade firmware at other branches on different time zone!

    Your input would be appreciated

    Thanks

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    6

    Default Re: IPSEC VPN with Amazon VPC

    Quote Originally Posted by 20100 View Post
    Hi

    We are trying to establish a site to site VPN with one of our AWS VPC.
    First we tried with our main site (running Gaia R77) and it worked great.
    Then we have been trying with another branch running UTM Edge NW with firmware 8.2.48n but we cannot establish the tunnel at all. If fails with "Invalid payload type" or sometimes with "possibly a mismatch in the preshared key"
    All the parameter matches, so we are at loss of what it could be
    We managed the Gaia R77 with SmartDashboard, but for the UTM Edge it is just using the web admin pages.

    Has anyone got a similar issue or any idea?
    Are there any extra steps on t UTM using any command lines? Or is it a firmware known issue (we are always hesitant to upgrade firmware at other branches on different time zone!

    Your input would be appreciated

    Thanks
    Help me with this: is there a CLI available on UTM edge so you can use debug commands like vpn debug ikeon / vpn debug trunc

  3. #3
    Join Date
    2007-06-04
    Posts
    3,299
    Rep Power
    17

    Default Re: IPSEC VPN with Amazon VPC

    http://dl3.checkpoint.com/paid/36/Co...78855&xtn=.pdf

    For the R77.10/R77.20 then have to do Router Based VPNs.
    The above document talks through configuring Route Based VPN's on Edges.
    Is a little old in terms of screenshots but MAY work.

    https://supportcenter.checkpoint.com...&product=IPsec

    Is the only information that I have found for connecting to AWS from a Check Point Gateway but that is for a regular gateway not an Edge. As such not sure that you would be able to get an Edge to communicate with AWS but the doc is probably the best shot at tit.


    CLI on an Edge is completely different to Splat or Gaia. vpn debug etc doesn't exist as those commands. There is a CLI but is different. The 1100's however use more regular CLI tools that more familiar with from regular SPLAT/GAIA platforms.

  4. #4
    Join Date
    2006-10-18
    Posts
    53
    Rep Power
    13

    Default Re: IPSEC VPN with Amazon VPC

    Quote Originally Posted by laf_c View Post
    Help me with this: is there a CLI available on UTM edge so you can use debug commands like vpn debug ikeon / vpn debug trunc
    Hi, the CLI is very basic ( either via http or ssh) and there is no equivalent to vpn debug ikeon/etc

    Mcnallym, unfortunately I do not have the correct privilege to download the first document you mentioned even as I am correctly logged on the Checkpoint support web site (with numerous contracts!). Would you be able to attach here or PM me with the file?

    I found also a document on Checkpoint (not sure if it the same) that did not make too much sense for me.
    I was able to set up a standard Ipsec VPN with the VPC from the (Gaia) main gateway, so it looks like there is some sort of shortfall from the UTM.

    Looking at the settings from ssh on the UTM:

    Phase-1
    Security: AES-128/SHA1
    Rekey Time: 28800
    DH Group: 2
    Phase-2
    Security: AES-128/SHA1
    IP Compression: Disabled
    PFS: Disabled
    DH Group: 2
    Rekey [KBytes]: 3840000
    Rekey [Sec]: 3600
    Options
    Link Selection: Single IP
    Permanent Tunnel: False
    Bypass FW: False
    Bypass NAT: True
    Subnet Mode: Per-subnet
    MEP: disabled


    I can see the "Subnet Mode" set to "Per-subnet"
    I wonder if it should be set to something like "Per-gateway", but I do not know how to change it via http.
    I will try via command line and let you know.

    In the mean time, if someone else has any idea or experience between UTM and AWS that would be great!

    Cheers

  5. #5
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: IPSEC VPN with Amazon VPC

    Quote Originally Posted by 20100 View Post
    Hi, the CLI is very basic ( either via http or ssh) and there is no equivalent to vpn debug ikeon/etc

    Mcnallym, unfortunately I do not have the correct privilege to download the first document you mentioned even as I am correctly logged on the Checkpoint support web site (with numerous contracts!). Would you be able to attach here or PM me with the file?
    Try this link for the first document:

    http://downloads.checkpoint.com/dc/download.htm?ID=6940

    I found also a document on Checkpoint (not sure if it the same) that did not make too much sense for me.
    I was able to set up a standard Ipsec VPN with the VPC from the (Gaia) main gateway, so it looks like there is some sort of shortfall from the UTM.

    Looking at the settings from ssh on the UTM:

    Phase-1
    Security: AES-128/SHA1
    Rekey Time: 28800
    DH Group: 2
    Phase-2
    Security: AES-128/SHA1
    IP Compression: Disabled
    PFS: Disabled
    DH Group: 2
    Rekey [KBytes]: 3840000
    Rekey [Sec]: 3600
    Options
    Link Selection: Single IP
    Permanent Tunnel: False
    Bypass FW: False
    Bypass NAT: True
    Subnet Mode: Per-subnet
    MEP: disabled


    I can see the "Subnet Mode" set to "Per-subnet"
    I wonder if it should be set to something like "Per-gateway", but I do not know how to change it via http.
    I will try via command line and let you know.

    In the mean time, if someone else has any idea or experience between UTM and AWS that would be great!

    Cheers
    The Subnet Mode is part of IKE Phase 2 but it sounds like you are blowing up with IKE authentication in Phase 1. Any special characters in your pre-shared secret? Try just using upper/lower numbers and letters if possible, some special characters like punctuation may not agree with the UTM Edge.

    Try taking a packet capture of port 500 from Setup - Tools - Sniffer on the Edge. As long as you are blowing up in Phase 1 that will be in the clear so you can see it, if you are blowing up in Phase 2 you won't be able to decode anything with the sniffer.

  6. #6
    Join Date
    2006-10-18
    Posts
    53
    Rep Power
    13

    Default Re: IPSEC VPN with Amazon VPC

    Hi

    Thanks for the link. I was able to download the document. Looks complex to me. I will read in details. I did not have to go through all that on the R77 Gaia

    I tried a third tunnel with another UTM Edge branch and got exactly the same issue.
    from the logs (screen shot attached), it fails on phase 1. It also complains about l2tp server. not sure why!

    AWS provides you with all the settings including the secret password.
    For example here we have: XzjumUerlV1hWYj28O7bd73yo7xm7Z6e
    I just wonder if the key is too long for UTM.

    as per the subnet mode I was wondering before, I could not find a way to change its value. It does not seem to be the issue anyway from what you tell me.


    I will try the route-based VPN track and report
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	aws_vpn.jpg 
Views:	155 
Size:	24.6 KB 
ID:	871  

  7. #7
    Join Date
    2006-10-18
    Posts
    53
    Rep Power
    13

    Default Re: IPSEC VPN with Amazon VPC

    Hi

    I tried the VPN route based setup and got a similar result.
    I used the sniffer and Wireshark, but to be honest, I did not know what I needed to look at.

    I only found the following error (attached), don't know what it exactly means

    Not sure what to do from here
    Attached Thumbnails Attached Thumbnails Click image for larger version. 

Name:	aws_vpn1.jpg 
Views:	128 
Size:	31.2 KB 
ID:	872  

  8. #8
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: IPSEC VPN with Amazon VPC

    If you are sure that the pre-shared secret is correct another thing that can cause a blowup at packet 5 is NAT Traversal (NAT-T) failing to start; the two firewalls attempt to detect if there is NAT between them in IKE Phase 1 packets 3 and 4. If one side tries to start NAT-T but the other one doesn't that will cause the invalid payload error you are seeing. See this thread:

    https://www.cpug.org/forums/showthre...9221#post79221

    Is there NAT (or another firewall or router w/ ACL) between the Edge firewalls and the Amazon AWC? It could be blocking the UDP 4500 traffic required for NAT-T to function. Perhaps your Gaia firewall was able to use NAT-T successfully but the Edges could not for some reason; it looks like they support NAT-T by default though.

  9. #9
    Join Date
    2006-10-18
    Posts
    53
    Rep Power
    13

    Default Re: IPSEC VPN with Amazon VPC

    Hi

    I cannot be 100% sure of what devices are in front the UTM devices. In one branch it is a Cisco router, but we are not nating
    On the other one, the UTM is directly plugged onto the telco MTU.
    I check the security settings on both UTM and UDP 4500 is allowed from ANY to ANY

    At this stage I strongly suspect the issue is with the secret password. I replaced the password supplied by AWS with a test one, and I got exactly the same error messages both on the UTM logs and on the sniffer.
    The password from AWS is quite long..
    Does someone knows for sure if there is or not any limit for the password lenght on UTM?

    Thanks

  10. #10
    Join Date
    2006-10-18
    Posts
    53
    Rep Power
    13

    Default Re: IPSEC VPN with Amazon VPC

    Hi

    Looks like a known issue: https://forums.aws.amazon.com/thread...523250&#523250

    The secret password seems to be limited to 25 characters on the UTM

    I can try pushing Amazon to allow smaller keys (but unlikely to happens soon)!

    Does someone knows of any tools to enter manually a key > 25 characters on the UTM?

    Does someone knows the procedures to request a new features to Checkpoint to change the max lenght?

    Thanks

Similar Threads

  1. Check Point Security Gateways now available on Amazon Web Services
    By PhoneBoy in forum Check Point Release Notifications
    Replies: 2
    Last Post: 2013-02-11, 10:18
  2. GRE over IPSec
    By pawelz in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 8
    Last Post: 2009-04-30, 14:53
  3. GRE over IPSec
    By pawelz in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 6
    Last Post: 2007-10-27, 20:28
  4. IPSEC licences?
    By Reaper in forum Licensing
    Replies: 3
    Last Post: 2007-10-02, 02:40
  5. Ipsec Vpn
    By snapper in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2006-03-01, 16:07

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •