CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 6 of 6

Thread: vpn problem with overlapping ip range

  1. #1
    Join Date
    2014-10-03
    Posts
    30
    Rep Power
    0

    Default vpn problem with overlapping ip range

    Hello,

    I need help in finding out whats wrong with my vpn setup with overlapping range. I am using openserver checkpoint 77.20 and the vpn is between me and cisco ASA 5555.
    I have created two network objects with NATED addresses and using that one as encryption domains in the vpn setup. But when i try to ping from my side to the other side so getting wiered problem.

    First i get rejected messges with IKE failure no response from peer and than in the next message i get drop with reason "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information"

    I have checked the configuration of the other side and it looks ok.

    need help if anybody can help me in this issue.

  2. #2
    Join Date
    2012-07-10
    Location
    Zurich, Switzerland
    Posts
    257
    Rep Power
    9

    Default Re: vpn problem with overlapping ip range

    No valid SA means that your encryption parameters do not match.
    Just as a reminder: your local encryption domain (A) contains ALL IP Addresses you wanna present to your VPN peering partner, regardless if there is NAT in place or not.
    The peering partners VPN encryption domain (B) contains ALL IP Addresses he is presenting to you. A and B must match at both ends.
    And there are as well some other VPN parameters such as encryption methods, hash algorithms, lifetime, shared secret, etc. which MUST match as well at both ends.

    In order to get more info you should turn on IKE and VPN Debugging

    at expert mode level on the gw (bash)
    vpn debug on (off to stop)
    vpn debug ikeon (ikeoff to stop)

    the debugging information is written to the 2 logfiles $FWDIR/log/vpnd.elg and $FWDIR/log/ike.elg

    You can read the ike.elg into the IKEView utility (included in the InfoView Utility you can download from Check Point Support) and check what's going on.

    HTH

  3. #3
    Join Date
    2014-10-03
    Posts
    30
    Rep Power
    0

    Default Re: vpn problem with overlapping ip range

    Quote Originally Posted by slowfood27 View Post
    No valid SA means that your encryption parameters do not match.
    Just as a reminder: your local encryption domain (A) contains ALL IP Addresses you wanna present to your VPN peering partner, regardless if there is NAT in place or not.
    The peering partners VPN encryption domain (B) contains ALL IP Addresses he is presenting to you. A and B must match at both ends.
    And there are as well some other VPN parameters such as encryption methods, hash algorithms, lifetime, shared secret, etc. which MUST match as well at both ends.

    In order to get more info you should turn on IKE and VPN Debugging

    at expert mode level on the gw (bash)
    vpn debug on (off to stop)
    vpn debug ikeon (ikeoff to stop)

    the debugging information is written to the 2 logfiles $FWDIR/log/vpnd.elg and $FWDIR/log/ike.elg

    You can read the ike.elg into the IKEView utility (included in the InfoView Utility you can download from Check Point Support) and check what's going on.

    HTH
    I have enabled vpn debug ikeon and also vpn debug on. When i look into the ike.elg file in ikeview tool, there i find only P1 Main Mode messages with status failed, no Quick Mode messages. I have checked packet1 and packet 2 to see what is happening there and i can see that packet sent to peer with suggestions is same as packet 2 received from peer with suggestions, but still main mode fails.

    Packet 1. Sent to Peer:

    Transform Payload - KEY_IKE

    Next Payload: NONE
    Reserved: 0
    Length: 00 28 (40)
    TransNum: 1
    TransId: 1
    Reserved2: 00 00 (0)

    Encryption Algorithm: AES-CBC
    Key Length: 256
    Hash Algorithm: SHA1
    Authentication Method: Pre-shared key
    Group Description: 1536-bit MODP group
    Life Type: Seconds
    Life Duration: 86400


    packet 2 Received from Peer

    Transform Payload - KEY_IKE

    Next Payload: NONE
    Reserved: 0
    Length: 00 28 (40)
    TransNum: 1
    TransId: 1
    Reserved2: 00 00 (0)

    Encryption Algorithm: AES-CBC
    Key Length: 256
    Hash Algorithm: SHA1
    Group Description: 1536-bit MODP group
    Authentication Method: Pre-shared key
    Life Type: Seconds
    Life Duration: 86400

    Please any help is appreciated.

    Best regards

  4. #4
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    18

    Default Re: vpn problem with overlapping ip range

    OK if Phase 1 is failing then you aren't going to succeed with Phase 2 establishment.

    Double Check that the Encryption Settings are the Same, is the PSK the same at both ends
    Any Logs in Tracker relating to Main Mode such as Invalid Payload etc

    Once you get Phase 1 to establish then worry about Phase 2

  5. #5
    Join Date
    2014-10-03
    Posts
    30
    Rep Power
    0

    Default Re: vpn problem with overlapping ip range

    Quote Originally Posted by mcnallym View Post
    OK if Phase 1 is failing then you aren't going to succeed with Phase 2 establishment.

    Double Check that the Encryption Settings are the Same, is the PSK the same at both ends
    Any Logs in Tracker relating to Main Mode such as Invalid Payload etc

    Once you get Phase 1 to establish then worry about Phase 2
    The encryption settings are same on both sides, and shared secret is also same. No logs that says invalid Payload.


    Regards

  6. #6
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    18

    Default Re: vpn problem with overlapping ip range

    Quote Originally Posted by Opera View Post
    The encryption settings are same on both sides, and shared secret is also same. No logs that says invalid Payload.


    Regards
    Then what sort of message are you getting for the Main Mode failure?

    At the moment if your Phase 1 is failing then need to get to the bottom of why your Phase 1 is failing. You won't be able to establish Phase 2 hence why you get the generic messages in the Tracker for the Traffic between the Enc Domains.

    One thing I would definitely check is the IP address being used in the Phase 1 for your R77.20 System. How have you configured the VPN Link Selection for the Gateway. Are there other VPN's working from this Gateway?

Similar Threads

  1. DHCP Range
    By Peter Smith in forum Miscellaneous
    Replies: 0
    Last Post: 2013-02-14, 10:19
  2. problem with nat for overlapping address help pls
    By sebastan_bach in forum NAT (Network Address Translation)
    Replies: 0
    Last Post: 2008-04-22, 14:22
  3. range end with .121
    By suber in forum Miscellaneous
    Replies: 2
    Last Post: 2007-09-02, 07:33
  4. New Ip range
    By Producer in forum NAT (Network Address Translation)
    Replies: 3
    Last Post: 2007-08-28, 14:09
  5. Overlapping NAT
    By walcat_0 in forum NAT (Network Address Translation)
    Replies: 1
    Last Post: 2007-08-20, 04:46

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •