Re: [FW-1] Cisco to Checkpoint Site to Site VPN

[Matthew Austin [Permanent Link]]

Vasu,

Taking what I said the other day, that the problem was not on the PIX, and 
there is a fix out there on the CP side, and that it has to be applied via the 
command line, here is the article. This worked for the previous organization I 
was at, so good luck!


Symptoms 
 
 
 
Site to site VPN tunnel with third party vender fails with one or more 
errors. Depending on the VPN/encryption configuration and vender 
involved, you may see one or more of the errors listed. 
Error: "Encryption failure: packet is dropped as there is no valid SA" 
Error: "No valid SA" 
Error: "Encryption failure: No response from peer" 
Error: "No proposal chosen" 
Error: "Invalid ID information" when VPN-1 gateway initiates Quick Mode 
Error: "Encryption failure: Could not identify peer for encryption 
rule" 
Can initiate tunnel from one side but no return traffic seen 
TCP dump on the external interface shows udp500 inbound but not routed 
past gateway 
Both sides support subnet-key exchange 
VPN instability after an IKE: Send Delete 
No information seen in SmartView Tracker logs 
 
 
Cause 
 
 
 
Phase two Quick Mode failure occurs due to 
configuration/misconfiguration of VPN/encryption domain for firewalls involved 
in site to site VPN 
tunnels. Typically, this occurs when VPN domain group contains either 
numerous networks, or numerous hosts from different consecutive networks 
along with network objects.

We write all the relevant network objects, which are networks and 
included in the VPN domain of interoperable devices or Check Point gateways 
before FP1, to a kernel table called ranges_by_domain_table. Instead of 
calculating ranges for these gateways we take the information for ID 
payload from this table. 

By default, when computing ranges for Quick Mode ID, VPN-1 combines 
several
subnets into one whenever possible. For example, if the encryption 
domain includes two adjacent networks, 172.30.32.0/22 and 17230.36.0/22, 
VPN-1 will negotiate the QM for one subnet 172.30.32.0/21. If the peer is 
a non-Check Point gateway, it will fail the key exchange because of the 
unexpected ID, since it computes the ranges differently.10 Configure
 
 
Solution 
 
 
 
To resolve the supernetting, configure the "max_subnet_for_range" table 
in $FWDIR/lib/user.def on the Management Server (SmartCenter). 

Procedure: 

On SmartCenter/Management Server: 
1) Close all SmartDashboard clients, I.E SmartView Tracker, SmartView 
Status, etc. 
2) Set "ike_use_largest_possible_subnets" to "false" by issuing the 
following set of commands (the FireWall-1 Administrator name is "fwadmin" 
and the password is "abc123" in the example): 
------------------------------------- 
# dbedit 
Enter Server name (ENTER for 'localhost'): 

Enter User Name: fwadmin 
Enter User Password: abc123 

Please enter a command, -h for help or -q to quit: 
dbedit> modify properties firewall_properties 
ike_use_largest_possible_subnets false 

dbedit> update properties firewall_properties 
firewall_properties updated successfully. 

dbedit> quit 
# 
--------------------------------------- 
3) Open $FWDIR/lib/user.def with a text editor 
4) Verify $FWDIR/lib/user.def contains the lines: 
---------------------------------------- 
#ifndef __user_def__ 
#define __user_def__ 

// 
/Troubleshooting the supernetting issue

Example:
1) Configure VPN domains for local(10.10.0.0) and remote (192.168.x.x) 
gateways
In the VPN domain of local gateway, define a group with consecutive 
networks such as 192.168.100.0/255.255.255.0, 192.168.101.0/255.255.255.0, 
192.168.102.0/255.255.255.0 

2) Enable ike.elg debug on local firewall

3) Initiate the tunnel using a machine that is on 192.168.100.0 (remote 
side) 

4) Review the ike.elg 

Observe the phase 2 keys have the subnet changed from 255.255.255.0 to 
255.255.25x.0, so that the phase 2 subnet key is large enough to 
include the complete number of networks defined.

This indicates the user.def edit is required to manually define the 
networks/hosts participating in encrypted traffic.

5) Modify user.def file to manually define networks to encrypt traffic 
to/from.
===============================================================================/
 
User defined INSPECT code 
//



#endif /* __user_def__ */
---------------------------------------
3) Backup $FWDIR\lib\user.def file
4) Edit $FWDIR\lib\user.def file 

Example 1
---------------------------------------
#ifndef __user_def__
#define __user_def__

//
// User defined INSPECT code 
//

max_subnet_for_range = {
<0.0.0.0, 194.29.39.255; 255.255.255.0>,
<194.29.40.0, 194.29.50.255; 255.255.255.255>,
<194.29.51.0, 255.255.255.255; 255.255.0.0>
};

#endif /* __user_def__ */
------------------------------
In Example 1, the configuration would work in the following way:
- For the host IP 194.29.23.1 the network IP would be 194.29.23.0/24
- For the host IP 194.29.46.45 the network IP would be 194.29.46.45 
(just one IP)
- For the host IP 194.29.102.1 the network IP would be 194.29.0.0/16

Example 2
------------------------------
#ifndef __user_def__
#define __user_def__

//
// User defined INSPECT code 
//

max_subnet_for_range = {
<172.16.0.0, 172.28.255.255; 255.255.0.0>
};

#endif /* __user_def__ */
------------------------------
In Example 2, the configuration would work in the following way:
- For the host IP 172.16.1.1 the network IP would be 172.16.0.0/16

The general syntax for editing the $FWDIR/lib/conf files is as follows:
------------------------------
#ifndef __user_def__
#define __user_def__

//
// User defined INSPECT code 
//

max_subnet_for_range = {
<first_IP_in_range, last_IP_in_the_range; subnet_mask>,
<first_IP_in_range, last_IP_in_the_range; subnet_mask>,
...
<first_IP_in_range, last_IP_in_the_range; subnet_mask>
};

#endif /* __user_def__ */
------------------------------
5) Save $FWDIR/lib/user.def file
6) Install policy on firewall module to make change effective 

Results: The network and subnet for IKE negotiation will be determined 
according to the table above. Host's IP will be matched on a relevant 
entry in this table, entry's subnet will b.e used for negotiation. For 
ranges not specified in table, the subnet mask will be determined as if 
option "IKE_use_largest_possible_subnets" is set to "true", wherever is 
relevant. 

FP3 Note: 
FP3 ignores setting "IKE_use_largest_possible_subnets" to false.
For FP3 HF1, apply HF2 and change the IKE_use_largest_possible_subnet 
value to false

FP2 Note: 
For FP2 HF 308, when firewall tries to exchange keys with another 
vendor gateway it uses the largest possible subnet when there are 
consecutive networks in the Check Point VPN domain, even when the 
"IKE_use_largest_possible_subnets" option is set to false. Requires 
modification to 
the user.def file to set segments manually for encrypted traffic.

FP2, if "Support Subnets for Key Exchange" is enabled in Advanced IKE 
properties, and VPN domain on either local or remote gateway object 
consists of consecutive subnets, the FP2 gateway will combine these into a 
larger subnet (or supernet) when presenting its IKE phase 2 
identification. This ID is not accepted by the peer gateway which is expecting 
to 
see the original smaller subnets. This behavior can be seen in IKE 
debug from the FP2 gateway.

Example:
NG FP2 VPN domain consists of networks 192.168.2.0/24 and 
192.168.3.0/24. 
Remote peer, Cisco VPN domain consists of network 10.0.0.0/8. Both 
gateways are configured with these VPN domains, and both sides support Key 
exchange per-subnet. If a connection is initiated from either network 
on the NG FP2 side, the FP2 gateway will attempt to negotiate phase 2 
with the Cisco device, but will present the phase 2 ID as follows (the 
values will actually be sent in hex, but are shown here in decimal):

Local side subnet (NG FP2 side): 192.168.2.0/23
Remote side subnet (Cisco side): 10.0.0.0/8

Notice the new subnet mask of the 192.168.2.0 network. Since the Cisco 
gateway has been configured to negotiate for 192.168.2.0/24 or 
192.168.3.0/24, it will not respond to this phase 2 attempt from the FP2 
gateway, resulting in one of the above errors in the FP2 Log Viewer..  
 
Applies To: 
 
 
 
R54, R55 
FP2, FP3 
Site to site VPN 
VPN/encryption domain 
IPSec Interoperability 
Third party vendors - CISCO PIX, Netscreen, Watchguard, SonicWall, 
Contivity, Raptor, Nortel 
IKE encryption 
use_ike_largest_subnet 

Cheers,

Matt
Supernetting 


Vasudevan Chetty Padmanabhan <vasudevan.cp AT GMAIL DOT COM> wrote: Hi,

I have many Site-to-Site VPN terminated on this CheckPoint Firewall R55. If
i edit this user.def file and add only the subnets for the problematic
site-to-site vpn..Will this affect all other VPNs? I tried doing this and i
when i insatlled the policy...it just fails...Any thoughts on this...

Thanks,
Vasu


On 12/29/05, Peter Haug 
 wrote:
>
> Hi,
> our Firewall is a R60 on SCPLT.
> we created a site to site VPN with linux Firewall. During IKE negotiation,
> I see the wrong subnet.
> It  should be a 10.22.0.0/16 but it is 10.20.0.0/14
>
> Our internal networks are 23 subnets from 10.1.0.0/16 to 10.23.0.0/16. I
> cant finde any network wit the mask /14 in the smartdashboard. Also in the
> SCPLT I cant find it.
> where else should I look for this?
> any hints?
> Thanks Peter
>
>
> #####
> Diese Email wurde durch verschiedene Security Mechanismen geprueft
> und fuer sauber befunden.
> Wenn Sie Interesse an diesen Security Checks haben,
> nehmen Sie mit uns Kontakt auf. http://www.paninfo.com
> #####
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================