HI Czar The connection is working now. Turns out that the root of the problem was NAT was enabled within the community. So as these hosts were internal hosts (that were hide NAT'd), all other hosts within the same subnet which were also Hide Nat'd to the same IP were being included in the community. The SA failed as the Cisco received the Hide NAT IP in stage 2. On disabling the NAT, the host IPs were properly communicated in stage 2. However the Cisco admin had to change the subnet to /24 as opposed to a single host. Even after this, the connection only worked after the Cisco tunnels were reset and SAs cleared. Thanks and Regards Shiroma --- On Thu, 7/2/09, [email protected] <[email protected]> wrote:
From: [email protected] <[email protected]> Subject: Re: [FW-1] site to site VPN failing with Cisco Pix 515 and 505 To: [email protected] Date: Thursday, July 2, 2009, 5:10 AM Hi Shiroma, To my understanding, th cp kb have put examples and mixing subnets with hosts only are allowed. Also, you might need a re-think of how you define you subnets, for example, in my experience, I broke down networks into /24 blocks (because cp fw1 supernetted the whole range into a /22 network). As an aside, I had these particular problem with freeswan on debian but no problem with a cisco (not sure if there's pix at that end - I assume there is). These ends are ISP boxes (they're hosting our public servers). ta czar -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Shiroma Dassanayake Sent: Thursday, 2 July 2009 12:49 AM To: [email protected] Subject: Re: [FW-1] site to site VPN failing with Cisco Pix 515 and 505 Hi Thanks Czar/Sergio. Czar the kb was really useful - these are the exact symptoms being experienced. Actually the ike_use_largest_possible_subnets has already been set to false and I define my host subnets using the max_subnet_for_range table. When I checked the host subnet range it had already been entered in the table with /24 subnet. So I asked the Cisco admin to change the subnet mask on their end (for my host) to match this. I am unable to add it as a host as it is already defined as part of a /24 subnet. After this I changed the tunnel management setting to "per pair of subnet hosts". However the connectivity still fails with the same error. I am now considering a delete sa for this tunnel. On reading the Checkpoint interoperability doc, there is an option to create a subnet_for_range_and_peer table. The problem I have is as I have already defined the max_subnet_for_range table in my user.def, how do I append this table and ensure that these settings precede max_subnet_for_range table? Regards Shiroma --- On Tue, 6/30/09, Sergio Alvarez <[email protected]> wrote: From: Sergio Alvarez <[email protected]> Subject: Re: [FW-1] site to site VPN failing with Cisco Pix 515 and 505 To: [email protected] Date: Tuesday, June 30, 2009, 11:21 AM The default option of "one tunnel per subnet pair" is the one that complies with IPSec standard and you should not change it when doing VPN against "interoperable devices", I read something about that quite a while ago. In fact the same document said the other two options ("one tunnel per host pair" and "one tunnel per gateway pair") are Check Point supported only. So maybe, changing that setting to "one VPN tunnel per each pair of hosts" could be part of the problem. On any case I don't think there is an easy way to go around the supernetting issue if you bump into it, if that is the case, you must go with the changes suggested by Czar. Regards On Tue, Jun 30, 2009 at 5:36 AM, <[email protected]> wrote: > Hi Shiroma, > > Unfortunately, by setting it the gui alone will not resolve the issue. > This is spelled out by cp itself. > > You have to do it manually via dbedit and changing user.def. For your > case, you define it only for a host. You can checkout the syntax on > how to define a host only. Checkout sk39419 - it outlines CheckPoint's > official solution (I just did a search on supernetting). > > The bottom line is its how cp fw works and it's up to you whether or > not you want to follow cp's procedure to resolve your issue (assuming > at the cisco end the settings are correct). > > Best of luck. > > ta > czar > > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]] On Behalf Of > Shiroma Dassanayake > Sent: Monday, 29 June 2009 8:48 PM > To: [email protected] > Subject: Re: [FW-1] site to site VPN failing with Cisco Pix 515 and > 505 > > Hi Czar > > It is to address the supernetting issue that I have selected "one VPN > tunnel per each pair of hosts" under tunnel management. The encryption > domain of each tunnel comprises a single host only. > > Regards > Shiroma > > > > --- On Mon, 6/29/09, [email protected] <[email protected]> wrote: > > > From: [email protected] <[email protected]> > Subject: Re: [FW-1] site to site VPN failing with Cisco Pix 515 and > 505 > To: [email protected] > Date: Monday, June 29, 2009, 2:07 AM > > > Hi Shiroma, > > I just run into this kind of problem very recently. > > I think you have a supernetting issue. You must have defined subnets > that are consecutive. > > If this is the case, by default, fw1 will supernet it automatically. > You can confirm this if at the cisco ends, the ip address is appearing > at a higher subnet, ie you initiated a traffic at a /24 address, it > would appear at the cisco end as something like a /22 address. > > First, you can google for user.def +checkpoint or search the CP > knowledge base for the solution. > > From memory, you have to use dbedit to change the behaviour at the > smartcenter server. NB close all fw1 apps. > > (run dbedit ? To verify syntax) > > dbedit> modify properties firewall_properties > ike_use_largest_possible_subnets false > > bbedit> update properties firewall_properties > > bbedit> quit --update_all > > Then you have to manually edit $FW1/lib/user.def file using plain text > editor ie Notepad. But make a backup copy first. > > Then put in your subnets as in following example > > ------------------------------ > #ifndef __user_def__ > #define __user_def__ > > // > // User defined INSPECT code > // > > max_subnet_for_range = { > <first_IP_in_range, last_IP_in_the_range; subnet_mask>, > <first_IP_in_range, last_IP_in_the_range; subnet_mask>, ... > <first_IP_in_range, last_IP_in_the_range; subnet_mask> }; > > #endif /* __user_def__ */ > ------------------------------ > > Save it. Then install the policy. > > In the Knowledge base, there are other examples. Check it out. > > Good luck. > > ta > czar > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]] On Behalf Of > Shiroma Dassanayake > Sent: Monday, 29 June 2009 1:41 PM > To: [email protected] > Subject: [FW-1] site to site VPN failing with Cisco Pix 515 and 505 > > Hi admins > > I have 3 site-site VPNs with three different Cisco models. The > site-site with the ASA 5510 works. However the VPNs with the 515 and > the 505 don't work. To exclude the subnets issue, I have selected "one > VPN tunnel per each pair of hosts" under tunnel management. > > The keys are exchanged successfully and main mode completes. However > when traffic is inititiated (in either direction) the packet is > dropped as encryption fails as there is no valid SA. I have seen > several references to this error on SK but none of the suggested workarounds seem to work. > > Any ideas?? > > Regards > Shiroma > > > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email [email protected] > ================================================= > > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email [email protected] > ================================================= > > > > > > > Scanned by Check Point Total Security Gateway. > > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email [email protected] > ================================================= > > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, > email [email protected] > ================================================= > -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
