CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 2 of 2

Thread: VPN Tunnel is UP but traffic is getting dropped

  1. #1
    Join Date
    2017-04-08
    Posts
    21
    Rep Power
    0

    Default VPN Tunnel is UP but traffic is getting dropped

    Hi All,

    I have a Site to Site VPN tunnel between checkpoint and Cisco ASA. Phase 1 and phase 2 is completed successfully but i cannot ping from router behind the checkpoint firewall to the router behind ASA firewall.

    In logs i can see following message:

    Quick Mode Received Notification from Peer: Responder Lifetime

    I changed the phase 2 lifetime to default that is configured in checkpoint (3600 seconds):

    crypto ipsec security-association lifetime seconds 3600

    But no luck.

    Strange is when i initiate a tunnel from ASA end. tunnel doesn't come up.

    Encryption domain on checkpoint side:
    A: 192.168.254.0/24
    B: 3.3.3.3/25
    C: 3.3.3.128/25

    encryption domain on ASA end:
    A: 20.0.0.0/24
    B: 192.168.12.0/24

    cisco configuration:


    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address 10.1.1.1 255.255.255.0
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 20.1.1.1 255.255.255.0


    object network Checkpoint_Net_192.168.254.0_24
    subnet 192.168.254.0 255.255.255.0
    object network Checkpoint_Net_3.3.3.0_25
    subnet 3.3.3.0 255.255.255.128
    object network Checkpoint_Net_3.3.3.128_25
    subnet 3.3.3.128 255.255.255.128
    object network ASA_Net_192.168.12.0_24
    subnet 192.168.12.0 255.255.255.0
    object network ASA_Net_20.1.1.0_24
    subnet 20.1.1.0 255.255.255.0
    access-list VPN extended permit ip object ASA_Net_192.168.12.0_24 object Checkpoint_Net_192.168.254.0_24
    access-list VPN extended permit ip object ASA_Net_20.1.1.0_24 object Checkpoint_Net_3.3.3.0_25
    access-list VPN extended permit ip object ASA_Net_20.1.1.0_24 object Checkpoint_Net_3.3.3.128_25
    access-list VPN extended permit ip object ASA_Net_20.1.1.0_24 object Checkpoint_Net_192.168.254.0_24
    access-list VPN extended permit ip object Checkpoint_Net_192.168.254.0_24 object ASA_Net_192.168.12.0_24
    access-list VPN extended permit ip object Checkpoint_Net_192.168.254.0_24 object ASA_Net_20.1.1.0_24
    access-list VPN extended permit ip object Checkpoint_Net_3.3.3.0_25 object ASA_Net_192.168.12.0_24
    access-list VPN extended permit ip object Checkpoint_Net_3.3.3.0_25 object ASA_Net_20.1.1.0_24
    access-list VPN extended permit ip object Checkpoint_Net_3.3.3.128_25 object ASA_Net_192.168.12.0_24
    access-list VPN extended permit ip object Checkpoint_Net_3.3.3.128_25 object ASA_Net_20.1.1.0_24
    access-list VPN extended permit ip object ASA_Net_192.168.12.0_24 object Checkpoint_Net_3.3.3.128_25
    access-list VPN extended permit ip object ASA_Net_192.168.12.0_24 object Checkpoint_Net_3.3.3.0_25


    crypto ipsec ikev1 transform-set VPN esp-aes-256 esp-sha-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto ipsec security-association pmtu-aging infinite
    crypto map OUT 10 match address VPN
    crypto map OUT 10 set peer 192.168.155.20
    crypto map OUT 10 set ikev1 transform-set VPN
    crypto map OUT interface outside


    crypto ikev1 enable outside
    crypto ikev1 policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 2


    tunnel-group 192.168.155.20 type ipsec-l2l
    tunnel-group 192.168.155.20 ipsec-attributes
    ikev1 pre-shared-key *****

    Checkpoint code: R80.10
    ASA code: 9.1(5)16

    Kindly please advise.

    Thanks

  2. #2
    Join Date
    2006-09-26
    Posts
    3,185
    Rep Power
    16

    Default Re: VPN Tunnel is UP but traffic is getting dropped

    Your configuration does not seem to be correct. You had:

    Encryption domain on checkpoint side:
    A: 192.168.254.0/24
    B: 3.3.3.3/25
    C: 3.3.3.128/25

    encryption domain on ASA end:
    A: 20.0.0.0/24
    B: 192.168.12.0/24

    And yet, you also include 3.3.3.0/25 and 3.3.3.128/25 on the Cisco side. Which one is it?

    Anyway, Checkpoint will supper net 3.3.3.0/25 and 3.3.3.128/25 into 3.3.3.0/24 and it will cause issue with Cisco. Use dbedit to change the value of IKE_largest_possible_subnet from "true" to "false". It will work after that.

Similar Threads

  1. Replies: 1
    Last Post: 2018-05-08, 12:10
  2. HOW TO IDENTIFY TRAFFIC USING IPSEC TUNNEL AND NON TUNNEL TRAFFIC ON CHECKPOINT SMART
    By gbollyd in forum Eventia Analyzer/Reporter/SmartView Reporter
    Replies: 4
    Last Post: 2011-09-21, 09:10
  3. Dropped Traffic: Dropped traffic between nodes
    By mhernandez in forum Miscellaneous
    Replies: 0
    Last Post: 2011-03-22, 13:45
  4. Traffic is being dropped by which rule?
    By Deaf_Null in forum Check Point UTM-1 Appliances
    Replies: 1
    Last Post: 2009-07-08, 03:58
  5. VPN traffic being dropped
    By rubber_chicken in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 6
    Last Post: 2006-10-10, 20:07

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •