CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: Route Based VPN with Cisco router

  1. #1
    Join Date
    2017-04-08
    Posts
    17
    Rep Power
    0

    Default Route Based VPN with Cisco router

    Hi All,

    I am in process of having hands on check point firewall. I am bit stuck at route based VPN in checkpoint. As as basic start i want to create a route based vpn with checkpoint r80.10 and cisco 7200 series router ( IOS 15.2). i know that in this routing will be checked instead of policy. I have some questions?

    1. what will be VPN domain at checkpoint end ( empty group (why?) or subnet x.x.x.x behind checkpoint firewall?
    2. how will i configure phase 1 and phase 2 on cisco router? Like isakmp policy or through isakmp profile?
    3. On cisco end the subnet behind router is 1.1.1.1/32 so i will need to put a staitc route towards tunnel int. correct? and what proxy ACL will be called?

    My questions may sound lame but moderators guidance will be really helpful.

    Thanks.

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    265
    Rep Power
    12

    Default Re: Route Based VPN with Cisco router

    1. The empty VPN domain is just to keep ordinary, VPN-domain-based decisions from happening. The VPN community is used to store the negotiation parameters for the VPN, but you don't want the firewall software deciding whether to encrypt something or not; you want the OS deciding. You can actually mix domain-based and route-based VPNs if you are very careful.

    2. I'm not sure on the Cisco configuration side of things. A route-based VPN from Check Point will show up as a normal phase 1, using the parameters defined in the VPN community. Phase 2 will show up as 0.0.0.0/0.0.0.0 to 0.0.0.0/0.0.0.0. That is the same negotiation you get if you set the community to negotiate one tunnel per pair of gateways. If you can get the Cisco side working with that, it should be the same for a route-based VPN.

    3. On the Check Point side, the route-based VPN behaves like a really, really long cable. Yes, you need routes for everything you want to go across the VPN. The really cool part is the tunnel interface can have an IP address. If both gateways have tunnel interfaces with IP addresses, you can run dynamic routing protocols like OSPF on the tunnel interface.

    Be careful with your antispoofing. Also be aware you can't use the VPN community in any rules, as that depends on normal, VPN-domain-based decisions.

    Edited to fix: I accidentally said not to use the VPN domain in rules, when it is the community you can't use in rules.
    Last edited by Bob_Zimmerman; 2018-07-17 at 16:15.
    Zimmie

  3. #3
    Join Date
    2017-04-08
    Posts
    17
    Rep Power
    0

    Default Re: Route Based VPN with Cisco router

    Hi Zimme,

    Thanks for reply. I again tested it. At the moment, i can see both Phase 1 and phase 2 are up but i can't ping from R1 loopback to R2 loopback which need to be go through tunnel. In logs i can see the drop is done by clean up rule. i checked through fw ctl zdebug +drop | grep 1.1.1.1 but i can't see any drop packets on firewall.

    The topology is as follows:

    R1 ---> Checkpoint firewall --> R2

    R1 loopback int 1.1.1.1/32
    R2 loopback int 2.2.2.2/32

    route based vpn tunnel is created between FW and R2.

    1.On checkpoint firewall i created vpn tunnel int numbered - 12.12.12.2
    2.put static route for 2.2.2.2/32 int with next hop to tunnel int.
    3. Created network inter-operable object - Cisco_R2
    4. on FW enter vpn domain as 1.1.1.1/32
    5. Created VPN mesh community and call the phase 1 and phase 2 negotiation parameters
    6. proivded pre-shared key
    7. created a rule to allow icmp only from R1-1.1.1.1 to R2-2.2.2.2. should we need to mention vpn community as well in rule. I tried with both but didn't worked.

    On cisco End this is the configuration:

    crypto isakmp policy 10
    encr 3des
    hash sha256
    authentication pre-share
    group 2
    crypto isakmp key 6 admin@123 address 192.168.229.11
    crypto ipsec transform-set VPN-1 esp-3des esp-sha256-hmac
    mode tunnel
    crypto ipsec profile VPN-1
    set transform-set VPN-1

    interface Tunnel0
    ip address 12.12.12.1 255.255.255.0
    tunnel source 192.168.229.10
    tunnel destination 192.168.229.11
    tunnel protection ipsec profile VPN-1
    end

    ip route 1.1.1.1 255.255.255.255 Tunnel0


    ---------------------------------------------------------------------------------------------

    R2#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst src state conn-id status
    192.168.229.11 192.168.229.10 QM_IDLE 1001 ACTIVE

    IPv6 Crypto ISAKMP SA


    R2#sh crypto ipsec sa

    interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 192.168.229.10

    protected vrf: (none)
    local ident (addr/mask/prot/port): (192.168.229.10/255.255.255.255/47/0)
    remote ident (addr/mask/prot/port): (192.168.229.11/255.255.255.255/47/0)
    current_peer 192.168.229.11 port 500
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

    local crypto endpt.: 192.168.229.10, remote crypto endpt.: 192.168.229.11
    path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
    current outbound spi: 0x62F75543(1660376387)
    PFS (Y/N): N, DH group: none

    inbound esp sas:
    spi: 0xC551409E(3310436510)
    transform: esp-3des esp-sha256-hmac ,
    in use settings ={Tunnel, }
    conn id: 1, flow_id: 1, sibling_flags 80004040, crypto map: Tunnel0-head-0
    sa timing: remaining key lifetime (k/sec): (4608000/970)
    IV size: 8 bytes
    replay detection support: Y
    Status: ACTIVE(ACTIVE)

    inbound ah sas:

    inbound pcp sas:

    outbound esp sas:
    spi: 0x62F75543(1660376387)
    transform: esp-3des esp-sha256-hmac ,
    in use settings ={Tunnel, }
    conn id: 2, flow_id: 2, sibling_flags 80004040, crypto map: Tunnel0-head-0
    sa timing: remaining key lifetime (k/sec): (4608000/970)
    IV size: 8 bytes
    replay detection support: Y
    Status: ACTIVE(ACTIVE)

    outbound ah sas:

    outbound pcp sas:
    R2#

    Kindly advise if i am missing something.

    Thanks

  4. #4
    Join Date
    2017-04-08
    Posts
    17
    Rep Power
    0

    Default Re: Route Based VPN with Cisco router

    Quote Originally Posted by ankda14 View Post
    Hi Zimme,

    Thanks for reply. I again tested it. At the moment, i can see both Phase 1 and phase 2 are up but i can't ping from R1 loopback to R2 loopback which need to be go through tunnel. In logs i can see the drop is done by clean up rule. i checked through fw ctl zdebug +drop | grep 1.1.1.1 but i can't see any drop packets on firewall.

    The topology is as follows:

    R1 ---> Checkpoint firewall --> R2

    R1 loopback int 1.1.1.1/32
    R2 loopback int 2.2.2.2/32

    route based vpn tunnel is created between FW and R2.

    1.On checkpoint firewall i created vpn tunnel int numbered - 12.12.12.2
    2.put static route for 2.2.2.2/32 int with next hop to tunnel int.
    3. Created network inter-operable object - Cisco_R2
    4. on FW enter vpn domain as 1.1.1.1/32
    5. Created VPN mesh community and call the phase 1 and phase 2 negotiation parameters
    6. proivded pre-shared key
    7. created a rule to allow icmp only from R1-1.1.1.1 to R2-2.2.2.2. should we need to mention vpn community as well in rule. I tried with both but didn't worked.

    On cisco End this is the configuration:

    crypto isakmp policy 10
    encr 3des
    hash sha256
    authentication pre-share
    group 2
    crypto isakmp key 6 admin@123 address 192.168.229.11
    crypto ipsec transform-set VPN-1 esp-3des esp-sha256-hmac
    mode tunnel
    crypto ipsec profile VPN-1
    set transform-set VPN-1

    interface Tunnel0
    ip address 12.12.12.1 255.255.255.0
    tunnel source 192.168.229.10
    tunnel destination 192.168.229.11
    tunnel protection ipsec profile VPN-1
    end

    ip route 1.1.1.1 255.255.255.255 Tunnel0


    ---------------------------------------------------------------------------------------------

    R2#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst src state conn-id status
    192.168.229.11 192.168.229.10 QM_IDLE 1001 ACTIVE

    IPv6 Crypto ISAKMP SA


    R2#sh crypto ipsec sa

    interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr 192.168.229.10

    protected vrf: (none)
    local ident (addr/mask/prot/port): (192.168.229.10/255.255.255.255/47/0)
    remote ident (addr/mask/prot/port): (192.168.229.11/255.255.255.255/47/0)
    current_peer 192.168.229.11 port 500
    PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

    local crypto endpt.: 192.168.229.10, remote crypto endpt.: 192.168.229.11
    path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
    current outbound spi: 0x62F75543(1660376387)
    PFS (Y/N): N, DH group: none

    inbound esp sas:
    spi: 0xC551409E(3310436510)
    transform: esp-3des esp-sha256-hmac ,
    in use settings ={Tunnel, }
    conn id: 1, flow_id: 1, sibling_flags 80004040, crypto map: Tunnel0-head-0
    sa timing: remaining key lifetime (k/sec): (4608000/970)
    IV size: 8 bytes
    replay detection support: Y
    Status: ACTIVE(ACTIVE)

    inbound ah sas:

    inbound pcp sas:

    outbound esp sas:
    spi: 0x62F75543(1660376387)
    transform: esp-3des esp-sha256-hmac ,
    in use settings ={Tunnel, }
    conn id: 2, flow_id: 2, sibling_flags 80004040, crypto map: Tunnel0-head-0
    sa timing: remaining key lifetime (k/sec): (4608000/970)
    IV size: 8 bytes
    replay detection support: Y
    Status: ACTIVE(ACTIVE)

    outbound ah sas:

    outbound pcp sas:
    R2#

    Kindly advise if i am missing something.

    Thanks
    Next Steps: I again verified the configuration and i found i didn't mentioned vpn domain on interoperable object. This time i added empty group as vpn domain on both checkpoint firewall and interoperable object.

    At the moment, i am still not able to ping 2.2.2.2 from 1.1.1.1 but i logs i can see firewall is accepting the traffic.

    I ran fw monitor command and got this output:

    [vs_0][fw_0] eth1:i[100]: 1.1.1.1 -> 2.2.2.2 (ICMP) len=100 id=90
    ICMP: type=8 code=0 echo request id=13 seq=0
    [vs_0][fw_0] eth1:I[100]: 1.1.1.1 -> 2.2.2.2 (ICMP) len=100 id=90
    ICMP: type=8 code=0 echo request id=13 seq=0
    [vs_0][fw_0] vpnt10:o[100]: 1.1.1.1 -> 2.2.2.2 (ICMP) len=100 id=90
    ICMP: type=8 code=0 echo request id=13 seq=0
    [vs_0][fw_0] vpnt10:O[100]: 1.1.1.1 -> 2.2.2.2 (ICMP) len=100 id=90
    ICMP: type=8 code=0 echo request id=13 seq=0
    [vs_0][fw_0] eth1:i[100]: 1.1.1.1 -> 2.2.2.2 (ICMP) len=100 id=91
    ICMP: type=8 code=0 echo request id=13 seq=1
    [vs_0][fw_0] eth1:I[100]: 1.1.1.1 -> 2.2.2.2 (ICMP) len=100 id=91
    ICMP: type=8 code=0 echo request id=13 seq=1
    [vs_0][fw_0] vpnt10:o[100]: 1.1.1.1 -> 2.2.2.2 (ICMP) len=100 id=91
    ICMP: type=8 code=0 echo request id=13 seq=1
    [vs_0][fw_0] vpnt10:O[100]: 1.1.1.1 -> 2.2.2.2 (ICMP) len=100 id=91
    ICMP: type=8 code=0 echo request id=13 seq=1
    [vs_0][fw_0] eth1:i[100]: 1.1.1.1 -> 2.2.2.2 (ICMP) len=100 id=92
    ICMP: type=8 code=0 echo request id=13 seq=2
    [vs_0][fw_0] eth1:I[100]: 1.1.1.1 -> 2.2.2.2 (ICMP) len=100 id=92
    ICMP: type=8 code=0 echo request id=13 seq=2
    [vs_0][fw_0] vpnt10:o[100]: 1.1.1.1 -> 2.2.2.2 (ICMP) len=100 id=92
    ICMP: type=8 code=0 echo request id=13 seq=2
    [vs_0][fw_0] vpnt10:O[100]: 1.1.1.1 -> 2.2.2.2 (ICMP) len=100 id=92
    ICMP: type=8 code=0 echo request id=13 seq=2

    Does Fw monitor shows echo reply packet as well. As it seems there is issue on cisco router configuration?

    I ran wireshark between checkpoint and R2 but can't seen vpn packets.

  5. #5
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    265
    Rep Power
    12

    Default Re: Route Based VPN with Cisco router

    This is a lab, right? You should see replies in fw monitor. SecureXL sometimes messes with that, though. As long as this is a lab environment, let's disable SecureXL to ensure we see all the packets in fw monitor:

    fwaccel off



    Based on the fw monitor, your configuration on the Check Point side is correct up to the point of sending the traffic to the tunnel interface. In an unfiltered capture, you should also see a o-O pair for the encrypted traffic going from the firewall to R2.

    Rather than pinging a loopback on the router which terminates the VPN, it may be a good idea to set up a host behind that router and try to ping that through the VPN. That way, you can run a tcpdump or Wireshark capture on the endpoint to see if it receives the ping request and if it sends a reply.
    Zimmie

  6. #6
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,229
    Rep Power
    13

    Default Re: Route Based VPN with Cisco router

    Quote Originally Posted by Bob_Zimmerman View Post
    This is a lab, right? You should see replies in fw monitor. SecureXL sometimes messes with that, though. As long as this is a lab environment, let's disable SecureXL to ensure we see all the packets in fw monitor:

    fwaccel off



    Based on the fw monitor, your configuration on the Check Point side is correct up to the point of sending the traffic to the tunnel interface. In an unfiltered capture, you should also see a o-O pair for the encrypted traffic going from the firewall to R2.

    Rather than pinging a loopback on the router which terminates the VPN, it may be a good idea to set up a host behind that router and try to ping that through the VPN. That way, you can run a tcpdump or Wireshark capture on the endpoint to see if it receives the ping request and if it sends a reply.
    You can also switch off just the VPN acceleration function of SecureXL with this command: sim vpn off;fwaccel off;fwaccel on

    All other acceleration functions of SecureXL will remain active, but any VPN traffic will always be sent F2F and thus be fully visible with fw monitor.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

Similar Threads

  1. Route based vs policy based vpn
    By iamramu92 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2016-11-23, 06:32
  2. Implementing Route based VPN & Domain based VPN on same gateway cluster
    By jakefury in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2015-11-05, 09:30
  3. Checkpoint VPN behind Cisco Router.help me!
    By ctlam in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2012-09-14, 02:26
  4. IPsec VPN from NGXR65 to Cisco Router.
    By munem in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 4
    Last Post: 2009-12-28, 17:53
  5. How to establish route-based routing between IP60 and IPSO based IP560
    By redbear in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 4
    Last Post: 2007-09-26, 00:37

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •