Help with VPN tunnel with CheckPoint (from ASA 7.2(3))
I have a VPN tunnel with a Checkpoint, and because of the CheckPoint's unfortunate behavior of supernetting, I've had to use supernets in the crypto map on the ASA. All was well until I decided to modify a setting on CheckPoint to prevent supernetting (ike_use_largest_possible_subnets changed from "true" to "false"). I updated the crypto map and did "clear crypto isakmp sa" and "clear crypto ipsec sa" but I could not get the tunnel to work correctly and had to fall back.
Have any of you been through this and if so, can you share your experience, advice, wisdom, etc.? I do not do much VPN work on the Cisco ASAs so maybe I didn't clear everything properly or didn't do the commands in the right order, or something?
I did not reload the Cisco. Maybe that's what I needed to do???
I did fall back on both the CheckPoint and ASA and the tunnel is up and working, but I see a lot of "duplicate phase 2 packet" messages on the ASA, and on the checkpoint I see a phase 2 packet with the supernet (x.x.x.0/23) then a delete, then another phase 2 packet with the x.x.x.0/24, so I still don't think things are working correctly.
I also tried "debug crypto isakmp" and "debug crypto ipsec" but I don't see any output. I am doing ssh to the Cisco ASA. Where does the output go? Sorry if that's a really stupid question. I did search the forum and Cisco's doc but didn't find anything.
Re: Help with VPN tunnel with CheckPoint (from ASA 7.2(3))
Thanks for replying. We're running R62 (no hfa) with traditional mode. We have over 40 vpn tunnels so it is not an option to just convert to simplified mode. This is a plan but not something I can do immediately to solve this issue.
When ike_use_largest_possible_subnet didn't work, I did try modifying user.def but that also did not work. The var has suggested coding the inoperable device properties to "one tunnel per pair of hosts", which can be done even in traditional mode but does not seem to work (tried it before) so maybe that's your point about trad mode having restrictions.
I have a thread open on the CheckPoint forum on this, but I'm just trying to determine if, on the ASA side, I've done something incorrectly, as I'm not as familiar with VPNs on that device.
I have read about issues with Cisco where a reload seems to resolve issues with the SA after changes are made, and in fact, the changes I made caused issues with another Cisco device (1841) we have a tunnel with (that I don't manage) and the admin for that device had to reset the device to get things working. Clearing the SAs did not fix it.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...