CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: Domain based VPN at checkpoint side and route based VPN on Cisco router

  1. #1
    Join Date
    2017-04-08
    Posts
    24
    Rep Power
    0

    Default Domain based VPN at checkpoint side and route based VPN on Cisco router

    Hi All,

    i have a setup where we have domain based VPN at checkpoint side and route based VPN at cisco router. My phase 1 and phase 2 is up i am not able to ping from end to end host.


    When i initiate the traffic behind checkpoint side. My traffic is being encrypted and send to cisco router but no reply comes.
    Can see packet is being decapsulated but not encapsulated.

    When traffic is being initiated from cisco router side i get logs on checkpoint:

    Clear text packet should be encrypted

    when i add default route at cisco end pointing it to tunnel interface the tunnel interface goes down and giver below error:

    *Sep 6 22:15:32.899: %ADJ-5-PARENT: Midchain parent maintenance for IP midchain out of Tunnel0 - looped chain attempting to stack
    *Sep 6 22:15:33.879: %SYS-5-CONFIG_I: Configured from console by console
    R2#
    *Sep 6 22:15:38.123: %TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing
    R2#
    *Sep 6 22:15:38.123: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down


    Cisco router config:

    R2#sh run
    Building configuration...

    Current configuration : 1699 bytes
    !
    ! Last configuration change at 22:21:41 UTC Fri Sep 6 2019
    !
    version 15.2
    service timestamps debug datetime msec
    service timestamps log datetime msec
    !
    hostname R2
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    no aaa new-model
    no ip icmp rate-limit unreachable
    ip cef
    !
    !
    !
    !
    !
    !
    no ip domain lookup
    no ipv6 cef
    !
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    !
    !
    ip tcp synwait-time 5
    !
    !
    !
    !
    !
    crypto isakmp policy 10
    authentication pre-share
    group 2
    crypto isakmp key vpn123 address 192.168.155.100
    !
    !
    crypto ipsec transform-set TSET esp-aes esp-sha-hmac
    mode tunnel
    !
    crypto ipsec profile IPSEC
    set transform-set TSET
    !
    !
    !
    !
    !
    !
    !
    interface Tunnel0
    ip address 12.12.12.12 255.255.255.0
    tunnel source FastEthernet0/0
    tunnel mode ipsec ipv4
    tunnel destination 192.168.155.100
    tunnel protection ipsec profile IPSEC
    !
    interface FastEthernet0/0
    ip address 10.10.10.11 255.255.255.0
    speed auto
    duplex auto
    !
    interface FastEthernet0/1
    ip address 10.1.23.2 255.255.255.0
    speed auto
    duplex auto
    !
    interface FastEthernet1/0
    no ip address
    shutdown
    speed auto
    duplex auto
    !
    interface FastEthernet1/1
    no ip address
    shutdown
    speed auto
    duplex auto
    !
    interface FastEthernet2/0
    no ip address
    shutdown
    speed auto
    duplex auto
    !
    interface FastEthernet2/1
    no ip address
    shutdown
    speed auto
    duplex auto
    !
    ip forward-protocol nd
    !
    !
    no ip http server
    no ip http secure-server
    ip route 0.0.0.0 0.0.0.0 10.10.10.10
    ip route 192.168.254.0 255.255.255.0 Tunnel0
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    stopbits 1
    line aux 0
    exec-timeout 0 0
    privilege level 15
    logging synchronous
    stopbits 1
    line vty 0 4
    login
    !
    !
    end

    R2#

    subnet behind checkpoint and part of VPN domain: 192.168.254.0/24
    subnet behind cisco router: 10.1.23.0/24

    checkpoint external interface: 192.168.155.100/24
    cisco router external interface: 10.10.10.11

    Kindly suggest where issue is.

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,651
    Rep Power
    10

    Default Re: Domain based VPN at checkpoint side and route based VPN on Cisco router

    Do you have a /32 static route for the Checkpoint internet peer address out the external interface of the cisco? My guess is once default route says go down the tunnel that ends up including the peer address which makes the cisco angry.

    BTW why didn't you create a VTI on the checkpoint side? seems like that would be the next problem unless the vpn is setup to do all subnets on the checkpoint? I haven't tried mixing those so i'm not sure.

  3. #3
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    309
    Rep Power
    13

    Default Re: Domain based VPN at checkpoint side and route based VPN on Cisco router

    You can mix domain-based and route-based VPNs just fine. The only trick is you need to be sure the domain-based VPN logic doesn't get triggered by traffic you want to go over the route-based VPN.

    That shouldn't matter here, though, since the Check Point side isn't picking the VPN by routing, but by the domain. For this to work, you should only need to make sure the proposals line up properly. This particular issue sounds like it's on the Cisco side. My bet is the Check Point side is doing something goofy like proposing just a network when the Cisco side expects 0/0 (or the other way around), the Cisco side doesn't like it, and it isn't giving you a useful error (VPN errors are purposefully vague to prevent someone from guessing the right parameters).

    Start an IKE debug. Try to bring the tunnel up from the Check Point side, bring it up from the Cisco side, then get the ike.elg and toss it in IKEView. It's generally pretty clear what doesn't match.
    Zimmie

Similar Threads

  1. Route based vpn and Cisco
    By Serjo in forum R77.30
    Replies: 0
    Last Post: 2019-05-28, 04:03
  2. VPN from Checkpoint to Cisco ASA - Route based
    By carl_t in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2018-11-14, 13:52
  3. Route Based VPN with Cisco router
    By ankda14 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2018-07-19, 10:42
  4. Implementing Route based VPN & Domain based VPN on same gateway cluster
    By jakefury in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2015-11-05, 09:30
  5. How to establish route-based routing between IP60 and IPSO based IP560
    By redbear in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 4
    Last Post: 2007-09-26, 00:37

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •