CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Page 1 of 2 12 LastLast
Results 1 to 20 of 40

Thread: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

  1. #1
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    13

    Default utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    I'm utterly frustrated trying to get 2 680's (both on verizon fios) vpn'd

    I can vpn these two devices just fine using ip address and preshared secret.

    Attempts to get them running with certificate (so I can use dyndns dns names instead of ip address) just doesn't want to connect.

    I followed the guide which is pretty straight forward but they just won't connect.

    I only have basic blades turned on "firewall & ipsec vpn" but I'm told it should work with those.

    Does anyone have any suggestions on how I can troubleshoot this further? Should I consider factory resetting these devices back to base firmware and updating again?

    I'd really like to get them on certs so I can take advantage of dns entries for the vpn since I don't have static IP and I have a flaky fios ont that locks up and assigns a new ip.

    Thanks,

    Roveer

  2. #2
    Join Date
    2015-11-11
    Posts
    5
    Rep Power
    0

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Hi Roveer,
    (first of all - have you opened a support ticket on this issue and can share the number if so?)

    I want to verify one thing first - I'm assuming you used the internal CAs of the devices, right?
    if that's the case - after configuring DDNS, did you reinitialize the internal CA certificate and only then pulled the relevant files to be set as "trusted CAs" on each remote site respectively?
    (the reinitialization is needed so the path for the CRL will be updated with the new host name configued in DDNS)

  3. #3
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,251
    Rep Power
    14

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    What is the exact IKE Phase 1 error message? My guess is that your 680s do not trust the CA of their peer firewall or there is an issue with CRL retrieval.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  4. #4
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    13

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    What I did is as follows:

    1. Set up the ddns on both devices (verified working by nslookup checking the dns names). When setting them up I checked the box to re-initialize the internal certificates on both sides
    2. When into internal CA on each device and unchecked the 2 boxes (retreive crl, cache crl)
    3. Exported CA from each device and imported it on the other box calling it Management CA on the other box
    4. Went back into both newly imported CA's and unchecked the 2 boxes (retreive crl, cache crl)
    5. On each box created VPN using hostname & certificate.
    6. "Match certificate by DN" box is checked and contains the CN=00:1C:4F:71:BD:D2 VPN Certificate,O=00:1C:4F:71:BD:D2..4oc4n2 from the default certificate from the other side.
    7. Remote site encryption domain on each box has network object which defines the ipsubnet from the other side (same one used when I bring up ip/preshared secret vpn that works fine)
    8. Under Encryption tab selecting "Default (most compatible)"
    9. Under Advanced tab selecting "Remote gateway is a checkpoint security gateway", "Enable permanent VPN Tunnels", "Disable NAT for this site" (same as when I bring up /ip/preshared secret vpn that works fine)
    10. Encryption Method I leave as default IKEv1
    11. Additional certificate matching, remote site certificate should be issued by is set to "Management CA" which is name of imported CA from other device

    I'll have to go back and set them up again to capture exact error messages. I was trying so many things and getting so many results I don't trust anything that's in the logs as being associated to this exact configuration. I'll do that and capture the messages.

    When looking at VPN Tunnels it shows the "peer address" as some strange non-meaningful number. Then after some time 30 minutes to an hour? it will show the ip of the other side but still shows "down" Very different behavior than ip/preshared which comes up right away.

    Also, on Saturday I swear I saw one side showing UP on certificate but have been unable to duplicate it since. Both devices on latest same number firmware: R77.20.11 (990171471)

  5. #5
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    13

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    I threw up the CERT VPN's and the msgs I'm getting (on one side at least) are:

    Phase1 Received Notification from Peer: payload malformed

    and

    Phase1 Received Notification from Peer: invalid cookie

    These are inbound from the other side.

    I'll check both side and see if I get any other msgs...
    Last edited by roveer; 2016-04-25 at 12:50.

  6. #6
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    13

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    It's up...

    Not sure why.

    Right now I have 2 VPN defined on both sides. One for IP/pre shared and one for CERT.

    I disabled CERT on both sides and enabled IP/Pre. The link came up. (that's always worked).

    I then disabled IP/Pre on both sides and enabled CERT on both sides and rebooted both devices.

    When they came up it said the CERT VPN was down. Here's were it gets weird.

    Either I waited a few mintues and it re-tried or I forced traffic for the other side and it came up.

    In VPN tunnel it's showing VPN_MPR_CERT (which was my Cert VPN Configuration) as UP and traffic is flowing.

    Now I tried deleting the currently disabled VPN_MPR (which is the IP/Pre) entry and the tunnel came back down.

    I put everything back and have it back up on both sides saying the CERT configurations are enabled and the IP/PRE are disabled. I'm going to leave it for a while and see what happens.

    Stupid question. I shouldn't need the IP/Pre configuration to make this work correct? In any event I'm going to leave it alone for a while and see what happens.

    Roveer

    -----[update]-----

    Tunnel is back down again. It came up at 1:30pm (from my post above), but went back down again at 3:05 pm for no apparent reason. I'm not even in the office and no traffic would be going across that link.
    Last edited by roveer; 2016-04-25 at 15:16.

  7. #7
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    13

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Here is what is going on in the logs. Seems like its bouncing up and down and lots of malformed payload. This is one side of the connection. I'm going to put the connections back to ip/presh sec and see if I'm getting anything abnormal in the logs.

    Click image for larger version. 

Name:	1.jpg 
Views:	97 
Size:	64.0 KB 
ID:	1103Click image for larger version. 

Name:	2.jpg 
Views:	81 
Size:	66.0 KB 
ID:	1104Click image for larger version. 

Name:	3.jpg 
Views:	83 
Size:	74.4 KB 
ID:	1105Click image for larger version. 

Name:	4.jpg 
Views:	137 
Size:	78.5 KB 
ID:	1106Click image for larger version. 

Name:	5.jpg 
Views:	105 
Size:	77.1 KB 
ID:	1107Click image for larger version. 

Name:	6.jpg 
Views:	98 
Size:	76.2 KB 
ID:	1108Click image for larger version. 

Name:	7.jpg 
Views:	115 
Size:	64.4 KB 
ID:	1109Click image for larger version. 

Name:	8.jpg 
Views:	95 
Size:	60.6 KB 
ID:	1110Click image for larger version. 

Name:	9.jpg 
Views:	126 
Size:	96.9 KB 
ID:	1111Click image for larger version. 

Name:	10.jpg 
Views:	142 
Size:	80.8 KB 
ID:	1112Click image for larger version. 

Name:	11.jpg 
Views:	106 
Size:	78.4 KB 
ID:	1113Click image for larger version. 

Name:	12.jpg 
Views:	137 
Size:	75.5 KB 
ID:	1114Click image for larger version. 

Name:	13.jpg 
Views:	92 
Size:	78.7 KB 
ID:	1115

  8. #8
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,652
    Rep Power
    10

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    I think your main problem is you don't know what to be trouble shooting. So phase 2 barfing is related to subnets behind the firewall, encryption, hash method that kind of stuff.

    Login to both firewalls and issue a
    vpn debug ikeon

    This will create a file called

    $FWDIR/log/ike.elg

    Recreate the issue. Once you feel like enough garbage has been sent and you've recreated your up/down event stop debugging.

    vpn debug off

    Download ike.elg* off both firewalls.

    Download a utility called infoview from checkpoint. Once installed go to the directory where infoview was installed and find a program called ikeview.exe.

    Run this and open open the ike.elg from one of the gateways. You should see everything that is being advertised in phase I and phase II.

    Make sure the encryption domains look correct and match the internal subnets. I've never debugged a cert based vpn but i'm thinking you should see usefult details from that as well.

    Hope that helps!

  9. #9
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,251
    Rep Power
    14

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    The key seems to be the payload malformed message in Quick Mode (Phase 2). Usually if you see a payload malformed it happens in Phase 1 and indicates an auth failure. However if it is happening in Phase 2 check your PFS settings, whether it is enabled on both sides and particularly the DH group which needs to be identical in the PFS settings. Also turn off permanent tunnels for now as you are getting a lot of spurious messages about the tunnel being "up" when it is not.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  10. #10
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    13

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    I looked at PFS Settings in the encryption tab. It was not checked. I checked it and got a message that said it was not compatible with "hostname" which is what I am trying to use.

    Click image for larger version. 

Name:	14.jpg 
Views:	91 
Size:	31.4 KB 
ID:	1116

  11. #11
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,652
    Rep Power
    10

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Do the vpn debug. It should really explain a lot. One side might not know what that malformed packet is but the side that sent it should know what it is for sure.

  12. #12
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    13

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    I'm going to set up the log stuff. Unfortunately I don't have access to the infoview utility. I don't have any support on these boxes so CP won't allow me to download anything. Also, I can't turn on Community as I don't have "cloud services" activation key. I'm really in the weeds on this one.

    I just read something about 2 things that looked like they might be related.

    1. Something said about "error is also happening when CP is dynamically NAT the nodes. When you statically NAT the nodes you can encrypt/decrypt the packets"

    How would I go about statically NAT nodes? I tried going into advanced under VPN and changing local encryption domain from being defined automatically to being defined manually and gave it the network object for the local network (did this on both sides).

    2. Something said about "The Packet is dropped because there is no valid SA for user peer - please refer to solution sk19423 in SecureKnowledge Database for more information."

    Don't have access to sk19423

    Any of this look similar to my situation?

  13. #13
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,652
    Rep Power
    10

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Quote Originally Posted by roveer View Post
    I'm going to set up the log stuff. Unfortunately I don't have access to the infoview utility. I don't have any support on these boxes so CP won't allow me to download anything. Also, I can't turn on Community as I don't have "cloud services" activation key. I'm really in the weeds on this one.

    I just read something about 2 things that looked like they might be related.

    1. Something said about "error is also happening when CP is dynamically NAT the nodes. When you statically NAT the nodes you can encrypt/decrypt the packets"

    How would I go about statically NAT nodes? I tried going into advanced under VPN and changing local encryption domain from being defined automatically to being defined manually and gave it the network object for the local network (did this on both sides).

    2. Something said about "The Packet is dropped because there is no valid SA for user peer - please refer to solution sk19423 in SecureKnowledge Database for more information."

    Don't have access to sk19423

    Any of this look similar to my situation?
    1. Why do you want nat on the VPN? I would think you wouldn't want to nat across the vpn. That being said if you are natting you need to add your real src and your nat src to the encryption domain. Same for dst on the remote encryption domain.

    Do you even need nat though? If the internal networks of both firewalls are on different subnets there shouldn't be a need for nat. There should also be an option in the vpn to disable nat on the vpn.

    2. That SK just covers some debug topics and isn't so great I think. Basically its just an error thrown when the vpn isn't negotiating correctly. The SK gives a few hits but nothing to the level of detail ikeview will give you.

    I can't give you access to infoview directly. I could feed it through a local install and report back if you want though. Keep in mind this is a bit of a information leak on your part. Completely up to you.

  14. #14
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    13

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Nat is disabled for this VPN is checked on both sides. The subnets are unique so you are correct, I don't need NAT.

    The VPN was UP for a short period of time but has gone down again. I'm going to need to debug as suggested in order to figure this out. Very strange that it comes up for a period then goes back down again. Not having any connectivity issues that I'm aware of.

    Roveer

  15. #15
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,652
    Rep Power
    10

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Quote Originally Posted by roveer View Post
    Nat is disabled for this VPN is checked on both sides. The subnets are unique so you are correct, I don't need NAT.

    The VPN was UP for a short period of time but has gone down again. I'm going to need to debug as suggested in order to figure this out. Very strange that it comes up for a period then goes back down again. Not having any connectivity issues that I'm aware of.

    Roveer
    So chances are the up/downs are related to checkpoint's special tunnel test packets like shadowpeak said. These are only sent when permanent tunnels are enabled. Thats my guess.

  16. #16
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    13

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    So what I have noticed is this. In my current configuration if I reboot both devices the VPN comes up. I've set up a persistent ping to the 680 from one side to the other. The VPN came up at 13:53 EDT and the ping has been running. That's about 30 minutes so far.

    I did make one other change and that was to define my network objects defining the ip subnets like named on both sides. Before the object names were different.

    Example: Local_SHL_Network = 172.16.1.0 (same name on both sides) used in VPN configuration and Local Encryption Domain manual setting
    Local_MPR_Network = 192.168.0.1 (same name on both sides) used in VPN configuration and Local Encryption Domain manual setting

    Previously I had then named different things.

    Ping is still running, VPN is still up. Logs are showing encrypt messages

  17. #17
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    13

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Ping has stopped, VPN is DOWN.

    Log gave the following at 14:34 EDT

    Click image for larger version. 

Name:	15.jpg 
Views:	92 
Size:	87.1 KB 
ID:	1119

  18. #18
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,652
    Rep Power
    10

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    How long was the VPN up for? I haven't done cert vpn with these devices, but could it be the CRL isn't accessible? If you set a filter for src FW1 or FW2 dst FW1 or FW1 do you see any dropped tcp packets in the 18000 range?

    I really like your still hacking on this. Keep it up, you'll get to the root cause.

  19. #19
    Join Date
    2007-10-12
    Posts
    141
    Rep Power
    13

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    vpn stayed up from 13:53 to 14:34 that's 41 minutes.

    Thank you for the encouragement. Sometimes I feel like I'm wasting everyone's time. I have a great sense of adventure when attacking a situation like this and I won't likely give up until I've resolved it. I really want this functionality as I do not have static IP's on either end so getting cert VPN so I can use host names is important to me.

    I've managed to get infoview installed and my latest challenge is getting my ike.elg file from my 680 to my local machine. Tips? I'm not a unix guy but will rip/teach my way through whatever I need to make it work.

    Roveer

  20. #20
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,652
    Rep Power
    10

    Default Re: utter frustration trying to get 2 680's vpn'd on Certs. IP/presh sec works fine

    Quote Originally Posted by roveer View Post
    vpn stayed up from 13:53 to 14:34 that's 41 minutes.

    Thank you for the encouragement. Sometimes I feel like I'm wasting everyone's time. I have a great sense of adventure when attacking a situation like this and I won't likely give up until I've resolved it. I really want this functionality as I do not have static IP's on either end so getting cert VPN so I can use host names is important to me.

    I've managed to get infoview installed and my latest challenge is getting my ike.elg file from my 680 to my local machine. Tips? I'm not a unix guy but will rip/teach my way through whatever I need to make it work.

    Roveer
    ssh to the firewall. Enter expert mode. Run

    bashUser on

    exit.

    Now WinSCP will work. WinSCP pretty easy to use, just make sure its set to use SCP mode instead of SFTP. Login and password as same as ssh/webui.

    Bonus points if you use pscp/scp instead. Works just like copy.

    scp src dst.

    Where src OR dst (something has to be local). user@remote:/path/to/remote/file /local/file/goes/here

    File are in $FWDIR/log

    Also when you ssh to the firewall you will now have a full unix shell (with bashUser on).

    If you want to turn this off (who would?) run this from the bash shell.

    bashUser off

    How do you know what $FWDIR is?

    run this from ssh.

    echo $FWDIR/log

    Go get'em Rock!
    Last edited by jflemingeds; 2016-04-26 at 16:24.

Page 1 of 2 12 LastLast

Similar Threads

  1. Unable to access SSL Websites using IE8 on Windows 7/Vista. XP works fine.
    By Soccer8 in forum IPS Blade (Formerly SmartDefense)
    Replies: 4
    Last Post: 2010-04-08, 06:32
  2. how I can check SIC is workng fine
    By ASHISH SYAL in forum Clustering (Security Gateway HA and ClusterXL)
    Replies: 8
    Last Post: 2009-10-06, 05:15
  3. Replies: 3
    Last Post: 2009-03-23, 03:57
  4. Do Check Point Certs Expire ?
    By pat13b in forum CCSE NGX Exam 156-315.1 (No Longer Offered)
    Replies: 2
    Last Post: 2007-09-20, 16:25
  5. a question about VPN using external certs.
    By derspot in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2006-12-29, 10:48

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •