CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


CPUG Challenge 2018?? We will be holding another CPUG Challenge for 2018.
The plan is to time it around CPX again (earlier this year), but not necessarily limit it to those in attendance.
I'll provide more details as we get a bit closer, but be ready! -E

 

Results 1 to 15 of 15

Thread: VPN with 3rd party ASA

  1. #1
    Join Date
    2017-05-08
    Posts
    8
    Rep Power
    0

    Default VPN with 3rd party ASA

    We are trying to establish an S2S IPSEC tunnel with a 3rd party. They have required that we only pass publicly routed addresses over the tunnel. We have successfully negotiated IKE tunnels and in SmartLog I see my servers trying to communicate over the NAT'd addresses I have specified for them. The 3rd party is informing me that the Checkpoint is only negotiating the public host IP of our gateway and not the subnet as they are expecting. This means traffic from our NAT'd servers that are using other public addresses is not flowing over the tunnel. Is this something with Checkpoint that is causing the incorrect negotiation on their end? Is there maybe something special I have to do with the VPN Domain configuration for our gateway here to allow multiple public address to negotiate on the tunnel?

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    642
    Rep Power
    5

    Default Re: VPN with 3rd party ASA

    We just to make sure you configured this right!
    Let's take three networks:
    - A aka your local network
    - B aka your local network being SourceNAT to whatever public IP
    - C aka your remote network or ASA's local IPs

    Make sure:
    - you add B network on your CP Topology Enc Domain
    - you add C network on your Interoperable_Device Topology Enc Domain
    - you add a rule stating A towards C action (VPN Community) accept
    - you add a rule stating A towards C action source NAT using B network

    NAT concerns:
    - if A range is bigger than B range (let's say you use a host IP address for B object) then make sure you are using NAT method: Hide

  3. #3
    Join Date
    2017-05-08
    Posts
    8
    Rep Power
    0

    Default Re: VPN with 3rd party ASA

    Quote Originally Posted by laf_c View Post
    We just to make sure you configured this right!
    Let's take three networks:
    - A aka your local network
    - B aka your local network being SourceNAT to whatever public IP
    - C aka your remote network or ASA's local IPs

    Make sure:
    - you add B network on your CP Topology Enc Domain
    - you add C network on your Interoperable_Device Topology Enc Domain
    - you add a rule stating A towards C action (VPN Community) accept
    - you add a rule stating A towards C action source NAT using B network

    NAT concerns:
    - if A range is bigger than B range (let's say you use a host IP address for B object) then make sure you are using NAT method: Hide
    laf,

    Thank you for your reply. Would I need to involve my local subnet in the encryption domain if only public IP addresses are passing over the tunnel? Currently I am trying to use the public subnet that Checkpoint is using for the WAN interface, which I think is causing problems. When I try to add that subnet to the VPN subnet, we lose all connectivity to services NAT'd to that subnet probably due to anti-spoofing. The reason I suspect that is due to this thread.

    https://www.cpug.org/forums/showthre...+ip+vpn+domain

    On the 3rd party side, their gateway is using a different IP address that does not exist in their network that will be routed over the VPN. Our gateway is using an IP address that exists in the network we want to route. Is this even possible? All examples I see in Checkpoint documentation seems to assume that local networks are going to be routed through the VPN. That is not the case here.

  4. #4
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: VPN with 3rd party ASA

    Quote Originally Posted by jcallahan View Post
    laf,

    Thank you for your reply. Would I need to involve my local subnet in the encryption domain if only public IP addresses are passing over the tunnel? Currently I am trying to use the public subnet that Checkpoint is using for the WAN interface, which I think is causing problems. When I try to add that subnet to the VPN subnet, we lose all connectivity to services NAT'd to that subnet probably due to anti-spoofing. The reason I suspect that is due to this thread.

    https://www.cpug.org/forums/showthre...+ip+vpn+domain

    On the 3rd party side, their gateway is using a different IP address that does not exist in their network that will be routed over the VPN. Our gateway is using an IP address that exists in the network we want to route. Is this even possible? All examples I see in Checkpoint documentation seems to assume that local networks are going to be routed through the VPN. That is not the case here.
    I have experiences with S2S VPN between checkpoint, Cisco IOS IOS/ASA/FTD and Juniper.

    Can you please explain your scenario one more time in details, a topology will help? I think I know what your issue but I just want to make sure I understand it fully before giving my 2c comments

  5. #5
    Join Date
    2017-05-08
    Posts
    8
    Rep Power
    0

    Default Re: VPN with 3rd party ASA

    Quote Originally Posted by cciesec2006 View Post
    I have experiences with S2S VPN between checkpoint, Cisco IOS IOS/ASA/FTD and Juniper.

    Can you please explain your scenario one more time in details, a topology will help? I think I know what your issue but I just want to make sure I understand it fully before giving my 2c comments
    Sure. We are going live with a new application with a third party vendor. They require a S2S VPN tunnel for us to use the app. We are not their only customer, so they do not allow private subnets (10.0.0.0 or 192.168.0.0) to pass over the tunnel. This forces us to use all public IP spaces over the tunnel so we will be unique in their environment and not conflict with their other customers.

    I've created a new star community with my Checkpoint cluster as the central gateway. I've created an interopable object to represent their gateway. I've created a /24 network and added that as the VPN domain for their gateway object. Of course we already have VPN tunnels in our environment, so the gateways have the same VPN community they've had in our production environment. However, that VPN community does not contain our public subnet.

    What their firewall admin is telling me is that our Checkpoint is only negotiating it's individual WAN address during the handshake and is not negotiating our entire public address space. This is causing strange intermittent traffic issues. When I add the public IP space to our VPN domain of course it breaks anything that uses a NAT to the internet because of anti-spoofing. I am about to turn permanent tunnels on to see if that fixes the interment issue. We had to turn it off during the initial process because we couldn't even get IKE negotiation to work.

    I hope that was helps paint a better picture.

  6. #6
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: VPN with 3rd party ASA

    Quote Originally Posted by jcallahan View Post
    I've created a new star community with my Checkpoint cluster as the central gateway. I've created an interopable object to represent their gateway. I've created a /24 network and added that as the VPN domain for their gateway object. Of course we already have VPN tunnels in our environment, so the gateways have the same VPN community they've had in our production environment. However, that VPN community does not contain our public subnet.
    I think this is the problem. Why are you creating a star community between your checkpoint cluster and the 3rd party device? should it be mesh topology instead?

  7. #7
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    642
    Rep Power
    5

    Default Re: VPN with 3rd party ASA

    Quote Originally Posted by cciesec2006 View Post
    I think this is the problem. Why are you creating a star community between your checkpoint cluster and the 3rd party device? should it be mesh topology instead?
    I am not following here. What's the difference between star and mesh community as long as there are only TWO VPN_endpoints?

  8. #8
    Join Date
    2017-05-08
    Posts
    8
    Rep Power
    0

    Default Re: VPN with 3rd party ASA

    Quote Originally Posted by cciesec2006 View Post
    I think this is the problem. Why are you creating a star community between your checkpoint cluster and the 3rd party device? should it be mesh topology instead?
    I have tried converting it to a mesh and all tunnel traffic stops flowing. Not sure if there might be a very long negotiation delay after the conversion, but once I switched back to start I was able to ping shortly after.

  9. #9
    Join Date
    2007-06-04
    Posts
    3,246
    Rep Power
    15

    Default Re: VPN with 3rd party ASA

    Quote Originally Posted by jcallahan View Post
    Sure. We are going live with a new application with a third party vendor. They require a S2S VPN tunnel for us to use the app. We are not their only customer, so they do not allow private subnets (10.0.0.0 or 192.168.0.0) to pass over the tunnel. This forces us to use all public IP spaces over the tunnel so we will be unique in their environment and not conflict with their other customers.

    I've created a new star community with my Checkpoint cluster as the central gateway. I've created an interopable object to represent their gateway. I've created a /24 network and added that as the VPN domain for their gateway object. Of course we already have VPN tunnels in our environment, so the gateways have the same VPN community they've had in our production environment. However, that VPN community does not contain our public subnet.

    What their firewall admin is telling me is that our Checkpoint is only negotiating it's individual WAN address during the handshake and is not negotiating our entire public address space. This is causing strange intermittent traffic issues. When I add the public IP space to our VPN domain of course it breaks anything that uses a NAT to the internet because of anti-spoofing. I am about to turn permanent tunnels on to see if that fixes the interment issue. We had to turn it off during the initial process because we couldn't even get IKE negotiation to work.

    I hope that was helps paint a better picture.
    Sounds like your are NATting the Traffic behind the Gateway as it goes out through the Check Point. That will cause the 3rd Party to simply see the External IP of the Gateway.

    Your Encryption Domain will need updating with ANY Public IP that you should be NATting the Internal Traffic behind when connect too/from the 3rd Party Network. If you don't have the Public IP in the Enc Domain then the Gateway won't encrypt/decrypt traffic properly as won't recognise that needs too.

  10. #10
    Join Date
    2017-05-08
    Posts
    8
    Rep Power
    0

    Default Re: VPN with 3rd party ASA

    Quote Originally Posted by mcnallym View Post
    Sounds like your are NATting the Traffic behind the Gateway as it goes out through the Check Point. That will cause the 3rd Party to simply see the External IP of the Gateway.

    Your Encryption Domain will need updating with ANY Public IP that you should be NATting the Internal Traffic behind when connect too/from the 3rd Party Network. If you don't have the Public IP in the Enc Domain then the Gateway won't encrypt/decrypt traffic properly as won't recognise that needs too.
    Initially I struggled with the VPN domains, but now I only have the objects representing the NAT of my servers in the VPN domain. It could be possible that the peer doesn't have the correct encryption domain. It's strange, if I initiate a ping it will time out for a while and then I will get a response. I'll leave it alone and once I come back the ping is timing out again. I wonder if the other end could be initiating a ping at the same time and that is what could be bringing the tunnel up? I have verified on the other end that this has happened at least once.

  11. #11
    Join Date
    2017-05-08
    Posts
    8
    Rep Power
    0

    Default Re: VPN with 3rd party ASA

    It looks like at this point we can communicate back and forth if I have a constant ping going. It will eventually start pinging before about 2-3 minutes of timeouts. Very strange behavior.

  12. #12
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    103
    Rep Power
    11

    Default Re: VPN with 3rd party ASA

    Quote Originally Posted by jcallahan View Post
    It looks like at this point we can communicate back and forth if I have a constant ping going. It will eventually start pinging before about 2-3 minutes of timeouts. Very strange behavior.
    Probably worth enabling IKE debugging and taking a look at the negotiations. Sounds like parameters don't quite match somehow. Check Point is pretty permissive in what it accepts. I suspect the ASA doesn't like what Check Point is proposing, but sometimes something happens which triggers a negotiation from the ASA side which the Check Point likes.



    It also sounds like this peer does not understand what the 'P' in "VPN" stands for. Goodness. I have only seen such a silly requirement once before. Normally, if you and I want to establish a VPN, you give me a range to use for my end which does not overlap with anything you do internally, and I give you a range to use for yours which does not overlap with anything I do.

    This works for any kind of company-to-company connectivity I've ever set up. Expansion is trivial should the need arise. Using only public addresses leads to some truly stupid situations where a public address does wildly different things depending on who is asking.
    Zimmie

  13. #13
    Join Date
    2017-05-08
    Posts
    8
    Rep Power
    0

    Default Re: VPN with 3rd party ASA

    Quote Originally Posted by Bob_Zimmerman View Post
    Probably worth enabling IKE debugging and taking a look at the negotiations. Sounds like parameters don't quite match somehow. Check Point is pretty permissive in what it accepts. I suspect the ASA doesn't like what Check Point is proposing, but sometimes something happens which triggers a negotiation from the ASA side which the Check Point likes.



    It also sounds like this peer does not understand what the 'P' in "VPN" stands for. Goodness. I have only seen such a silly requirement once before. Normally, if you and I want to establish a VPN, you give me a range to use for my end which does not overlap with anything you do internally, and I give you a range to use for yours which does not overlap with anything I do.

    This works for any kind of company-to-company connectivity I've ever set up. Expansion is trivial should the need arise. Using only public addresses leads to some truly stupid situations where a public address does wildly different things depending on who is asking.
    Bob, it looks like you were correct. Apparently ASA can do multiple integrity hashes at the same time. The vendor had SHA1+MD5 selected. Removing one of these and only selecting one resolved the issue. We are now able to establish tunnels and SAs without issue. Thank you everyone for your help.

    Also it is worth noting that I believe the initial problem we had where the tunnel would drop and come back was due to an IKEvX mismatch. The vendor was seeing checkpoint attempt IKEv1 attempts by my Checkpoint. I had the option to prefer IKEv2 but support IKEv1. I changed the community to only support IKEv2 and this is how we found the mismatched proposals. This fixed everything.
    Last edited by jcallahan; 1 Day Ago at 10:59. Reason: Added discovery of IKE issue

  14. #14
    Join Date
    2006-09-26
    Posts
    3,055
    Rep Power
    15

    Default Re: VPN with 3rd party ASA

    Quote Originally Posted by jcallahan View Post
    Sure. We are going live with a new application with a third party vendor. They require a S2S VPN tunnel for us to use the app. We are not their only customer, so they do not allow private subnets (10.0.0.0 or 192.168.0.0) to pass over the tunnel. This forces us to use all public IP spaces over the tunnel so we will be unique in their environment and not conflict with their other customers.

    I've created a new star community with my Checkpoint cluster as the central gateway. I've created an interopable object to represent their gateway. I've created a /24 network and added that as the VPN domain for their gateway object. Of course we already have VPN tunnels in our environment, so the gateways have the same VPN community they've had in our production environment. However, that VPN community does not contain our public subnet.

    What their firewall admin is telling me is that our Checkpoint is only negotiating it's individual WAN address during the handshake and is not negotiating our entire public address space. This is causing strange intermittent traffic issues. When I add the public IP space to our VPN domain of course it breaks anything that uses a NAT to the internet because of anti-spoofing. I am about to turn permanent tunnels on to see if that fixes the interment issue. We had to turn it off during the initial process because we couldn't even get IKE negotiation to work.

    I hope that was helps paint a better picture.
    sorry I have other work issues that I didn't have a chance to look at until today. Let me see if I can understand your issue:

    Example:
    - on the ASA side:
    ASA VPN peer is 4.2.2.2/24
    ASA local encryption domain (or interesting traffics) is 129.174.1.0/24

    - on the Checkpoint side:
    Checkpoint VPN peer is 8.8.1.254/23
    Checkpoint local encryption domain is 192.168.1.0/24
    You have VPN tunnel from 192.168.1.0/25 to other VPN tunnels without any issues and you're not NAT'ing inside the VPN tunnels

    Issue: You need to bring up the VPN tunnels between the checkpoint and ASA but because the vendor will NOT accept 192.168.1.0/24 inside the VPN tunnel but they will accept 8.8.0.0/24 so you do this:

    0- setup mesh VPN in checkpoint
    1- add 8.8.0.0/24 network into your checkpoint local encryption domain
    2- uncheck disabled NAT inside VPN tunnel for this VPN
    3- add manual NAT to translate source 192.168.1.0/24 to 8.8.0.0/24 for 129.174.1.0/24
    4- add manual NAT to translate destination 8.8.0.0/24 for source from 129.174.1.0/24 to 192.168.1.0/24

    Does that sound right? And what you're saying is that it does NOT work?

  15. #15
    Join Date
    2017-05-08
    Posts
    8
    Rep Power
    0

    Default Re: VPN with 3rd party ASA

    Quote Originally Posted by cciesec2006 View Post
    sorry I have other work issues that I didn't have a chance to look at until today. Let me see if I can understand your issue:

    Example:
    - on the ASA side:
    ASA VPN peer is 4.2.2.2/24
    ASA local encryption domain (or interesting traffics) is 129.174.1.0/24

    - on the Checkpoint side:
    Checkpoint VPN peer is 8.8.1.254/23
    Checkpoint local encryption domain is 192.168.1.0/24
    You have VPN tunnel from 192.168.1.0/25 to other VPN tunnels without any issues and you're not NAT'ing inside the VPN tunnels

    Issue: You need to bring up the VPN tunnels between the checkpoint and ASA but because the vendor will NOT accept 192.168.1.0/24 inside the VPN tunnel but they will accept 8.8.0.0/24 so you do this:

    0- setup mesh VPN in checkpoint
    1- add 8.8.0.0/24 network into your checkpoint local encryption domain
    2- uncheck disabled NAT inside VPN tunnel for this VPN
    3- add manual NAT to translate source 192.168.1.0/24 to 8.8.0.0/24 for 129.174.1.0/24
    4- add manual NAT to translate destination 8.8.0.0/24 for source from 129.174.1.0/24 to 192.168.1.0/24

    Does that sound right? And what you're saying is that it does NOT work?
    Yes eventually that did work. We had mismatched IKE version and the Cisco was using a proposal that Checkpoint doesn't support.

Similar Threads

  1. Migrating from third-party
    By Cruff in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 3
    Last Post: 2017-01-18, 07:00
  2. SmartEvent with Third-Party
    By rgbfilho in forum Check Point on Third-Party Platforms
    Replies: 0
    Last Post: 2015-11-25, 12:09
  3. Third-party vendors welcome!
    By EricAnderson in forum General instruction and forum requests
    Replies: 0
    Last Post: 2015-07-16, 22:53
  4. Star VPN with 3rd party FW
    By crosspopz in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 8
    Last Post: 2014-11-17, 13:27
  5. 3rd party certificate
    By avdonzzz in forum Authentication
    Replies: 0
    Last Post: 2013-12-09, 23:21

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •