CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 2 of 2

Thread: SMB ipsec s2s with Edgerouter

  1. #1
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,654
    Rep Power
    10

    Default SMB ipsec s2s with Edgerouter

    Well.. this took a while to figure out.

    High level

    2 site to site VPN peers agree on phase 1 and 2 (using PSK and IKEv2).

    peer 1 (EdgeRoutr) says.. heck yeah Phase II is great. lets do raw ESP (raw protocol 50)

    peer 2 (SMB 730) says ... heck yeah Phase II is great.. let do ESP over UDP (4500) all day long!

    Think this should work? In this case it sure didn't... I'm just not sure this should have worked in the first place.

    We couldn't get the Edgerouter to unencapsulate the ESP over UDP packets until an option to force Nat-T was enabled on the Edgerouter. After that vpn tunnel started working (and thus the EdgeRouter stopped sending raw ESP packets).


    I'm honestly not sure if this has happened before and i just haven't noticed it or not (ESP one way, ESP over UDP the other). Anyone seen something like that before? I'm thinking about it and i don't know.. if both sides say they support Nat-T does that mean they're going to use it for sure? Not sure what the trigger is. BTW both peers have routable IPs and shouldn't need Nat-T. I did find an option on the SMB that basically says force Nat-T. We didn't try disabling this on the SMB FYI.

    Side note.... so many 4 letter words used against Edgerouter... which is really just Linux and StrongSwan.

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,654
    Rep Power
    10

    Default Re: SMB ipsec s2s with Edgerouter

    So i still have no idea if this should work or not... but the major problem we found was the ISP (We'll call them Aye Tee Tee) blocks in bound ESP, which is awesome.

    Checkpoint can be forced to NAT-T the ESP connection which fixes the issue as UDP-4500 isn't blocked.

Similar Threads

  1. IPSec VPN - Unknown SPI for IPSec packet
    By BradleyE in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 8
    Last Post: 2017-10-13, 16:43
  2. GRE over IPSec
    By pawelz in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 8
    Last Post: 2009-04-30, 14:53
  3. GRE over IPSec
    By pawelz in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 6
    Last Post: 2007-10-27, 20:28
  4. IPSEC licences?
    By Reaper in forum Licensing
    Replies: 3
    Last Post: 2007-10-02, 02:40
  5. Ipsec Vpn
    By snapper in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2006-03-01, 16:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •