Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] please refer to solution sk19423

from Sagiv Filler [Permanent Link]
Subject: Re: [FW-1] please refer to solution sk19423
From: Sagiv Filler <sfiller AT TALDOR.CO DOT IL>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Tue, 22 Feb 2005 13:55:16 +0200 
In order to solve this issue you will have to do one of two things :

1. Create on both firewall identical encryption domain. This is not always 
smart. What I mean by identical is that the destination encryption domain on 
one fw will be the source encryption domain of the other and vice versia.

2. Do the following:


 Some times Site to site VPN tunnel with third party vender fails with one or 
more errors. Depending on the VPN/encryption configuration and vender involved, 
you may see one or more of the errors listed.
•  Error: "Encryption failure: packet is dropped as there is no valid SA"
•  Error: "No valid SA"
•  Error: "Encryption failure: No response from peer"
•  Error: "No proposal chosen"
•  Error: "Invalid ID information" when VPN-1 gateway initiates Quick Mode
•  Error: "Encryption failure: Could not identify peer for encryption rule"
•  Can initiate tunnel from one side but no return traffic seen
•  TCP dump on the external interface shows udp500 inbound but not routed past 
gateway
•  Both sides support subnet-key exchange
•  VPN instability after an IKE: Send Delete
•  No information seen in SmartView Tracker logs  Phase two Quick Mode


The couse for that behaviour is failure occurs due to 
configuration/misconfiguration of VPN/encryption domain for firewalls involved 
in site to site VPN tunnels. Typically, this occurs when VPN domain group 
contains either numerous networks, or numerous hosts from different consecutive 
networks along with network objects. We write all the relevant network objects, 
which are networks and included in the VPN domain of interoperable devices or 
Check Point gateways before FP1, to a kernel table called 
ranges_by_domain_table. Instead of calculating ranges for these gateways we 
take the information for ID payload from this table. By default, when computing 
ranges for Quick Mode ID, VPN-1 combines several subnets into one whenever 
possible. For example, if the encryption domain includes two adjacent networks, 
172.30.32.0/22 and 17230.36.0/22, VPN-1 will negotiate the QM for one subnet 
172.30.32.0/21. If the peer is a non-Check Point gateway, it will fail the key 
exchange because of!
  the unexpected ID, since it computes the ranges differently.

Solution :

1. On the SmartCenter machine issue cpstop.
2. Backup the file.
3. Edit the $FWDIR/conf/objects_5_0.C file : ike_use_largest_possible_subnets" 
to "false

4.Open $FWDIR/lib/user.def with a text editor(backup the file first)
Verify $FWDIR/lib/user.def contains the lines:
----------------------------------------
#ifndef __user_def__
#define __user_def__

//
/Troubleshooting the supernetting issue

Example:
 Configure VPN domains for local(10.10.0.0) and remote (192.168.x.x) gateways
In the VPN domain of local gateway, define a group with consecutive networks 
such as 192.168.100.0/255.255.255.0, 192.168.101.0/255.255.255.0, 
192.168.102.0/255.255.255.0

2) Enable ike.elg debug on local firewall

3) Initiate the tunnel using a machine that is on 192.168.100.0 (remote side)

4) Review the ike.elg

Observe the phase 2 keys have the subnet changed from 255.255.255.0 to 
255.255.25x.0, so that the phase 2 subnet key is large enough to include the 
complete number of networks defined.

This indicates the user.def edit is required to manually define the 
networks/hosts participating in encrypted traffic.

5) Modify user.def file to manually define networks to encrypt traffic to/from.
===============================================================================/
 User defined INSPECT code
//



#endif /* __user_def__ */
---------------------------------------
3) Backup $FWDIR\lib\user.def file
4) Edit $FWDIR\lib\user.def file

Example 1
---------------------------------------
#ifndef __user_def__
#define __user_def__

//
// User defined INSPECT code
//

max_subnet_for_range = {
<0.0.0.0, 194.29.39.255; 255.255.255.0>,
<194.29.40.0, 194.29.50.255; 255.255.255.255>,
<194.29.51.0, 255.255.255.255; 255.255.0.0>
};

#endif /* __user_def__ */
------------------------------
In Example 1, the configuration would work in the following way:
- For the host IP 194.29.23.1 the network IP would be 194.29.23.0/24
- For the host IP 194.29.46.45 the network IP would be 194.29.46.45 (just one 
IP(.
- For the host IP 194.29.102.1 the network IP would be 194.29.0.0/16

Example 2
------------------------------
#ifndef __user_def__
#define __user_def__

//
// User defined INSPECT code
//

max_subnet_for_range = {
<172.16.0.0, 172.28.255.255; 255.255.0.0>
};

#endif /* __user_def__ */
------------------------------
In Example 2, the configuration would work in the following way:
- For the host IP 172.16.1.1 the network IP would be 172.16.0.0/16

The general syntax for editing the $FWDIR/lib/conf files is as follows:
------------------------------
#ifndef __user_def__
#define __user_def__

//
// User defined INSPECT code
//

max_subnet_for_range = {
<first_IP_in_range, last_IP_in_the_range; subnet_mask>,
<first_IP_in_range, last_IP_in_the_range; subnet_mask>,
...
<first_IP_in_range, last_IP_in_the_range; subnet_mask>
};

#endif /* __user_def__ */
------------------------------
5) Save $FWDIR/lib/user.def file
6) Install policy on firewall module to make change effective

Results: The network and subnet for IKE negotiation will be determined 
according to the table above. Host's IP will be matched on a relevant entry in 
this table, entry's subnet will b.e used for negotiation. For ranges not 
specified in table, the subnet mask will be determined as if option 
"IKE_use_largest_possible_subnets" is set to "true", wherever is relevant
4. Save the file
5. Issue cpstart
Install the policy.

Hope it helps,

Sagiv



-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT 
AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Miguel Angel Gutierrez
Sent: Monday, February 21, 2005 5:07 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] please refer to solution sk19423

Yes I just found out that the other peer is running his box under linux, with a 
firewall service called StrongSWAN (as far as I know is a variant of 
Free_S/WAN).
-Miguel


-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT 
AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Sagiv Filler
Sent: Sunday, February 20, 2005 4:35 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] please refer to solution sk19423

Let me guess, the other side is a non checkpoint product ? if so let me know

Sagiv

-----Original Message-----
From: Mailing list for discussion of Firewall-1 [mailto:FW-1-MAILINGLIST AT 
AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Miguel Angel Gutierrez
Sent: Saturday, February 19, 2005 2:02 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] please refer to solution sk19423

Hello guys, I´m setting up a vpn from a ip350 CP_R55.

IKE:
-3DES
-MD5

IPsec:
AES-128
MD5

Let's say that the other party isn't very cooperative with info ;)

I'm getting a lot of:
IKE: Quick Mode Received Notification From Peer: invalid message ID

Followed by the log:
Packet is dropped because there is no valid SA - please refer to solution 
sk19423 in SecureKnowledge Database for more information

Any first impressions would be appreciated.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  
the
sender immediately and do not disclose the contents to any one or make copies.

Taldor Group.

** eSafe scanned this email for viruses, vandals and malicious content **
**************************************************************************************************

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  
the
sender immediately and do not disclose the contents to any one or make copies.

Taldor Group.

** eSafe scanned this email for viruses, vandals and malicious content **
**************************************************************************************************

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] Betreff: RE: Betreff: RE: Betreff: [FW-1] CheckPoint and TrendMicro, Serwatko Pawel
Next by Date:  Re: [FW-1] [SPAM] - Betreff: RE: Betreff: Re: [FW-1] Betreff: RE: Betreff: RE: Betreff: [FW-1] CheckPoint and TrendMicro - Found word(s) domain name list error in the Text body, Serwatko Pawel
Previous by Thread:  Re: [FW-1] please refer to solution sk19423, Miguel Angel Gutierrez
Next by Thread:  Re: [FW-1] please refer to solution sk19423, Miguel Angel Gutierrez
Indexes:  [Date] [Thread] [Top] [All Lists]