Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

problems with site to site VPN

Hi there i have a problem with a site to site connection with a company we work with. The company works with a checkpoint ngx-1 R65 en we work with Pix. The thing is that we VPN comes up. I can ping host at the company side and traffic is flowing. The company cannot access us only when we start a ping from our side only after that they can access us. We also got some socket errors on one of our apps when connecting to them.

i have debug logs attached. One is when we are sending pings to them (debug ourside.txt). and on were they are sending pings to us (debug company ping.txt .

22 REPLIES
New Member

Re: problems with site to site VPN

ok,

the solution is a very simple one.

1) make sure that you do not NAT inside

the vpn tunnel on the checkpoint side.

In checkpoint VPN community, I am assuming

that you're using simplified mode, there

is a check box that tell you to disabble NAT

inside VPN tunnel.

2) checkpoint will tend to supper net the

interesting traffic whenever possible. I am

suspecting that is the case because it only

works once you start pinging the other side.

When the tunnel timeout, it will not work

if traffics is initiated from the other side.

To fix this, please advise the other company

to do the following:

in the VPN community properties, go to

tunnel Management, look into the "VPN

Tunnel Sharing", select "one vpn tunnel

per each pair of hosts". The default is

"one vpn tunnel per subnet pair". After that

push the policy and likely it will work after

that.

this method is not efficient but this method

is widely used when setting VPN between Checkpoint and Cisco/Juniper.

Finally, if all else fails, you may

have to go into the $FWDIR/lib of the CMA

or management and modify the user.def file.

Let me know if it works for you.

New Member

Re: problems with site to site VPN

Keven,

Thanks for your reply. I contacted the company but still the same reult. Only after i started pinging they could ping us. Before that they would get "no valid SA"in their log but nothing showing up in de debug on my side. attached is the complete debug when we tested just now.

New Member

Re: problems with site to site VPN

The problem is that you have phase II

mis-matched when checkpoint initiates

traffics first:

(key eng. msg.) dest= 10.10.40.1, src= 200.x.x.138,

dest_proxy= MNS/255.255.255.255/0/0 (type=1),

src_proxy= DIGICELNW1/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

I've been working with both Checkpoint firewalls and Cisco Pix/IOS for about 7

years now and checkpoint is doing

suppernet on its side. That's why it fails.

Tell the folks on the Checkpoint side to run

"vpn debug ikeon" and you the utility IKEView.exe to view the debug and it will tell

you why it fails.

I've been working with both Checkpoint firewalls and Pix/IOS for about seven years now and what you see is quite typical for VPN

between checkpoint and Cisco. Use my method in previous post and it will work.

If you want to chat, put your phone here and

I will call you.

New Member

Re: problems with site to site VPN

Kevin,

Checkpoint support stated that everything is good on their side. What i forgot to mention is that my pix is behind a router. i use a private address 10.10.40.1 which i nat to the public address of the outside interface out the router. They tell me that i have no static nat for inbound traffic sending IPsec traffic to the pix. Attached is the router config. Can you check it for me. The thing is when they are trying to ping first i don't see anything in de debug. also the hosts behind the firewall are nat to 10.10.40.X on the router 10.10.40.0 is nat to the public address on the outside interface. so the topology is

DMZ--> PIX----> router (3725) --->Internet--> FW checkpoint.

Thanks for helping me out. my phone number is +597-8595355

New Member

Re: problems with site to site VPN

Ok now I have a better picture of what you

want to do.

Checkpoint TAC supports is correct. In order

for this to work, you need to have static

NAT for inbound traffic to send traffic to the

Pix. In your case, since you have nat everything to the public address of the outside interface so you may not have anymore

public ip addresses available. In that case,

I would do the following on the router:

ip nat inside source static udp 10.10.40.1 interface FastEthernet0/1 500

ip nat inside source static esp 10.10.40.1 interface FastEthernet0/1

In other words, you are telling the router to

forward isakmp/500 and esp traffics from

interface F0/1 on the router to the Pix.

This will allow the checkpoint to communicate

with your Pix firewall and it will work like

a charm. Make sure on the Checkpoint side,

the InterOperable Device is setup with an

ip address of 200.X.X.19. Don't forget to

tell them to re-push the policy after they

are done.

I learned about this method while preparing

for the CCIE security lab two years ago. Funny thing is that I am CCIE security certified but I know more about Checkpoint

technologies and I do with Cisco.

Let me know if this works for you.

New Member

Re: problems with site to site VPN

Kevin,

Your a big help so far

There was a typo in the command.

but i changed it.

ip nat inside source static udp 10.10.40.1 500 interface FastEthernet0/1 500

instead of

ip nat inside source static udp 10.10.40.1 interface FastEthernet0/1 500

It worked. Now the company can start aping on its own. But the thing is only one host on his side can ping to my. We can't ping each other simultaneously. I also see a malformed payload in de debug. Attached the debug file. Can you help out on this.

New Member

Re: problems with site to site VPN

My consulting rate is $250/hour and I think

the fee is quite reasonable since you're

getting someone who is knowledgeable with

both Cisco and Checkpoint technologies. J/K.

I am going to assume that the Checkpoint

External IP address is 200.1.211.138. Your

Pix external ip address is 10.10.40.1/24?

what is your interesting traffics? Show me

your ACL address outside1_cryptomap_20.

What is the checkpoint defined in its Local

Encryption Domain? What is the remote encryption

domain defined in the InterOperable Device for

the Pix device in Checkpoint?

It looks to me like you do not have the encryption

match between checkpoint and Cisco. That's why

it is not working as it should.

One other thing I notice is that you should change

isakmp policy 20 lifetime 28800 to "isakmp policy 20

lifetime 86400" and "crypto map outside1_map 20 set

security-association lifetime seconds 7200" to

"crypto map outside1_map 20 set security-association

lifetime seconds 3600" so that it will match with the

default setting on the Checkpoint side.

In order for me to help you, I need to see your pix

configuration ACL and the entire configuration, not

piecemeal. It looks to me like you've misconfiguration

on your Pix side. Until I can see your pix configuration,

very hard to go on from there

New Member

Re: problems with site to site VPN

Keven,

I will change the isakmp policy 20 lifetime to 86400 and the security-association lifetime seconds to 3600. attached is my config of the pix. The outside 10.10.40.1 of the pix is nat to 200.X.X.19 on the router side

I appreciate your help and i certainly know what you are worth.

New Member

Re: problems with site to site VPN

Here is what I recommend:

1) On the Checkpoint side, tell the checkpoint TAC person to include only host 10.10.40.5/32 and 10.10.40.6/32 for the encryption domain

of the Pix Inter-Operable Device

2) On the checkpoint side, tell the checkpoint TAC person to include digicel0, digicel3, digicel4, digicel5, digicelnw1 in his

checkpoint local encryption domain,

3) make sure everything in the VPN setting maches on both sides, INCLUDING Perfect

Forward Secrecy (PFS). There is a checkpoint

in the checkpoint vpn community for that,

Looking at your configuration more carefully,

what you're trying to do will not work

because you're terminating VPN on the outside1

interface (10.10.40.1) and your interesting

traffics is on 10.10.40.5 and 10.10.40.6.

Remember this is a Pix firewall NOT cisco IOS

so what you're trying to do, I do not think will work. The interesting traffics should

be network not on the same interface as outside1.

New Member

Re: problems with site to site VPN

Keven,

The Checkpoint is configured with VPN connections to other parties as well so the encryption domain could not only consists with my hosts in it.There other settings you suggested are also in place. Host 10.10.40.5 and 10.10.40.6 are actually on the inside of the pix. (having 10.100.10.91 Nat to 10.10.40.5 and 10.100.10.92 nat to 10.10.40.6 on the outside1 interface. The thing is before we implemented the inbound nat rule on the router we could ping each other simultaneously. Only i had to start pinging first. Now only one host can ping. So this is strange.

Is there a possible work around for this?

Thanks again

New Member

Re: problems with site to site VPN

Checkpoint local encryption domain can contain

other network besides 10.10.40.5 and 10.10.40.6.

What I am referring is the Pix Interoperable

device encryption domain. It can contains only

host 10.10.40.5 and 10.10.40.6.

You said:

"Host 10.10.40.5 and 10.10.40.6 are actually on the inside of the pix. (having 10.100.10.91 Nat to 10.10.40.5 and 10.100.10.92 nat to 10.10.40.6"

if that is the case then you need to REMOVE this line:

no nat (inside) 0 access-list inside_outbound_nat0_acl

because this line says NOT TO NAT 10.10.100.91 and 10.10.100.92 when going to the checkpoint side. Therefore you are telling the checkpoint side that your interesting is

actually 10.10.100.91 and 10.10.100.92 and NOT 10.10.40.5 and 10.10.40.6

remove this line and it will work.

New Member

Re: problems with site to site VPN

Kevin,

Here is the thing I entered the following command on the PIX

no nat (inside) 0 access-list inside_outbound_nat0_acl

What happens now it that i can ping for instance 172 .24.197.10 (company)from 10.10.40.6 and the company can ping 10.10.40.6 just fine. I did this test continuously pinging to each other. Now i started to ping 172.20.41.199 also. I got timeouts. Only when i closed the ping to 172 .24.197.10 i could ping x.xx.199 from the company side the same. I looks like we could only ping one host at a time. Strange thing. Any thoughts on that?

New Member

Re: problems with site to site VPN

Greg,

Here is what I would do:

1) tell the checkpoint guy to perform "vpn tu"

and clear tunnel between the checkpoint and

the pix,

2) what hfa is running on the checkpoint side?

Ask the TAC to run "fw ver" on the firewall

modules and paste in the output.

3) is it possible for you to ask the checkpoint TAC person to give you the file

ike.elg file while this error occurs? I can

debug that file and tell exactly what went

wrong.

New Member

Re: problems with site to site VPN

Kevin,

This is what i got from them.

Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) - Build 430

see the attachment also.

thanks a million

New Member

Re: problems with site to site VPN

Tell the checkpoint TAC that they should be

running the latest HFA, like what I have below:

[Expert@NGx_R65-1-P]# fw ver

This is Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) HFA_02, Hotfix 602 - Build 006

[Expert@NGx_R65-1-P]#

Furthermore, when I look at the ike.elg file, everything looks clean.

There is an issue with the tunnel 209.16.112.254 but for the tunnel

200.x.x.19, it looks really clean. Both phase I and phase II looks

really clean so the configuration on both the checkpoint side

and your side is correct. There is one thing I am not seeing in

the checkpoint debug file is the Perfect Forward Secrecy part. Can

you check with checkpoint tac if that is in place?

Last resort will be:

1) upgrade checkpoint to HFA_02. They are on HFA_0 now,

2) upgrade your pix 6.3(4) to 6.3(5),

Or if you like you can setup a VPN tunnel with me. I have

a checkpoint NGx R65 firewall but I am running HFA_02 instead

of HFA_00

New Member

Re: problems with site to site VPN

kevin,

I can't test with you right now. my email address is gregory.tai-apin@bnets.sr Is my pix config alright here? i'm sending you a debug of mine right now. and a new of a test we just did.

i can upgrade my pix but upgrading on the checkpoint side is out of the question they say.

Thanks for the offer.

New Member

Re: problems with site to site VPN

Your Pix configuration looks correct.

Are they running Checkpoint on SecurePlatform

or Nokia IP appliance? I remember running

into this issue about two years ago but that

was between my checkpoint NG AI firewall running

on Secureplatform and the other side is a

Cisco IOS router.

I look at the ike10.elg file and everything

looks good on the checkpoint side. Both

phase I and Phase II are properly exchanged.

New Member

Re: problems with site to site VPN

Kevin,

I don't know yet which platform. i will ask them. But have you seen things in de debug 3.txt file? What can you make of it. I will upgrade to 6.3(5) look for the upgrade document online now. As soon as i find it i will upgrade.

New Member

Re: problems with site to site VPN

do you have remote access VPN terminate on this

Pix firewall? your IPSec phase II looks

strange with 0.0.0.0/0

New Member

Re: problems with site to site VPN

yes i have. But i deleted it now. Still i can't ping only one host at a time.

New Member

Re: problems with site to site VPN

Kevin,

I have upgraded to 6.3(5) still no progress. Thanks for all your efforts i'm in the dark here.

New Member

Re: problems with site to site VPN

Kevin,

When i remove the static inbound rule on the router i am able to ping all hosts simultaneously. But then again the company can only reach me when i start a ping first. I will still have problems with the renegotiation.

Any thoughts on this?

1819
Views
0
Helpful
22
Replies
CreatePlease to create content