https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-with-Cisco-FTD-local-subnet-natted-key-exchange-with/m-p/70064#M12033 <P>Thanks G_W for your answer. I know it's a really old system but I have to deal with it...<BR />I'll review the articles.<BR />Thanks again.<BR />Stefano.</P> Wed, 11 Dec 2019 14:05:33 GMT Stefano_Chiesa 2019-12-11T14:05:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-with-Cisco-FTD-local-subnet-natted-key-exchange-with/m-p/70052#M12031 <P>Hello all.</P><P>On a 2200 R75.40 cluster is configured a L2L VPN with a remote Cisco FTD.<BR />in the VPN configuration the real local subnet (10.39.126.x/23) is not specified&nbsp; but instead a NAT subnet is used (192.168.123.x/27).<BR />On the remote side 4 hosts (/32) are defined as remote networks (10.130.200.234/.235/.236/.241).</P><P>The local subnet is manually Hide-Natted behind a single IP NAT-Subnet address (192.168.123.1).<BR />The tunnel is up but sometimes when the key exchange happens the original 10.39.126.x IP is used in the packet instead of 192.168.123.1 nat IP (see below the log records).</P><P>The key with the wrong IP is installed (why?) but then the traffic fails.</P><P>Seem a matter of activity sequence (accept rule, nat, negotiate, encrypt..).</P><P>Does anyone have a suggestion?</P><P>Thanks in advance.<BR />Stefano</P><P>----------------------------- CORRECT KEY INSTALL</P><P>Number: 11768148<BR />Date: 11Dec2019<BR />Time: 9:12:30<BR />Interface: daemon<BR />Origin: FW<BR />Type: Log<BR />Action: Key Install<BR />==&gt;Source: VPN-NAT-IP (192.168.123.1) &lt;&lt;==== CORRECT<BR />Destination: 10.130.200.235<BR />Community: xxxxxxxxxxxxx<BR />Information: IKE: Child SA exchange: Created a child SA successfully<BR />IKE IDs: &lt;192.168.123.0 - 192.168.123.31&gt;&lt;10.130.200.235&gt;<BR />Source Key ID: 0x92dddf54<BR />Destination Key ID: 0x9ab9283b<BR />Encryption Scheme: IKEv2<BR />Data Encryption Methods: AES_256 + HMAC_SHA256, No IPComp, No ESN, No PFS<BR />IKE Initiator Cookie: dbd002e39d8ab5aa<BR />IKE Responder Cookie: eb019a4c3f09bd88<BR />IKE Phase2 Message ID: 0000000d<BR />VPN Peer Gateway: REMOTE-Peer (X.X.X.X)<BR />Subproduct: VPN<BR />VPN Feature: IKE<BR />Product: Security Gateway/Management<BR />Product Family: Network</P><P>----------------------------- WRONG KEY INSTALL</P><P>Number: 11750404<BR />Date: 11Dec2019<BR />Time: 9:11:52<BR />Interface: daemon<BR />Origin: FW<BR />Type: Log<BR />Action: Key Install<BR />==&gt;Source: 10.39.126.44 &lt;&lt;======= WRONG!<BR />Destination: 10.130.200.234<BR />Community: xxxxxxxxxxxxx<BR />Information: IKE: Child SA exchange: Created a child SA successfully<BR />IKE IDs: &lt;10.130.200.234&gt;<BR />Source Key ID: 0x1f571570<BR />Destination Key ID: 0xcb0be6fa<BR />Encryption Scheme: IKEv2<BR />Data Encryption Methods: AES_256 + HMAC_SHA256, No IPComp, No ESN, No PFS<BR />IKE Initiator Cookie: dbd002e39d8ab5aa<BR />IKE Responder Cookie: eb019a4c3f09bd88<BR />IKE Phase2 Message ID: 0000000c<BR />VPN Peer Gateway: REMOTE-Peer (X.X.X.X)<BR />Subproduct: VPN<BR />VPN Feature: IKE<BR />Product: Security Gateway/Management<BR />Product Family: Network</P><P>&nbsp;</P><P>----------------------------- FAILING HTTPS ACCESS</P><P>Number: 11781102<BR />Date: 11Dec2019<BR />Time: 9:12:52<BR />Interface: Mgmt<BR />Origin: FW<BR />Type: Log<BR />Action: Drop<BR />Service: https (443)<BR />Source Port: 58984<BR />Source: 10.39.126.44<BR />Destination: 10.130.200.234<BR />Protocol: tcp<BR />Rule: 43<BR />Rule UID: {4904EE49-19C1-4074-8561-DF7437BF5FBF}<BR />NAT rule number: 3<BR />NAT additional rule number: 1<BR />XlateSrc: VPN-NAT-IP (192.168.123.1)<BR />XlateSPort: 14356<BR />Community: XXXXXXXXXXXXXX<BR />Information: service_id: https<BR />encryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information<BR />Encryption Scheme: IKE<BR />Data Encryption Methods: ESP: AES-256 + SHA256<BR />VPN Peer Gateway: REMOTE-Peer (X.X.X.X)<BR />Subproduct: VPN<BR />VPN Feature: VPN<BR />Product: Security Gateway/Management<BR />Log ID: 404830<BR />Product Family: Network</P><P><BR />------------------------------ WORKING HTTPS ACCESS</P><P>Number: 11768149<BR />Date: 11Dec2019<BR />Time: 9:12:30<BR />Interface: Mgmt<BR />Origin: FW<BR />Type: Log<BR />Action: Encrypt<BR />Source: 10.39.126.44<BR />Destination: 10.130.200.235<BR />Protocol: icmp<BR />Rule: 43<BR />Rule UID: {4904EE49-19C1-4074-8561-DF7437BF5FBF}<BR />NAT rule number: 3<BR />NAT additional rule number: 1<BR />XlateSrc: VPN-NAT-IP (192.168.123.1)<BR />Community: XXXXXXXXXXXXXX<BR />Information: service_id: icmp-proto<BR />ICMP: Echo Request<BR />ICMP Type: 8<BR />ICMP Code: 0<BR />Encryption Scheme: IKE<BR />Data Encryption Methods: ESP: AES-256 + SHA256<BR />VPN Peer Gateway: REMOTE-Peer (X.X.X.X)<BR />Subproduct: VPN<BR />VPN Feature: VPN<BR />Product: Security Gateway/Management<BR />Product Family: Network</P> Wed, 11 Dec 2019 09:02:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-with-Cisco-FTD-local-subnet-natted-key-exchange-with/m-p/70052#M12031 Stefano_Chiesa 2019-12-11T09:02:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-with-Cisco-FTD-local-subnet-natted-key-exchange-with/m-p/70062#M12032 <P>R75.40 has been out of support since April 2016 - so all i can suggest is look around in the forum, e.g. &nbsp;<A id="link_29" class="page-link lia-link-navigation lia-custom-event" style="font-family: inherit;" href="https://community.checkpoint.com/t5/General-Topics/Site-To-Site-VPN-with-Multiple-Subnets/m-p/21509?search-action-id=9964374511&amp;search-result-uid=21509" target="_blank">Site-To-Site <SPAN class="lia-search-match-lithium">VPN</SPAN> with Multiple Subnets</A>,<SPAN style="color: #000000; font-family: inherit;">&nbsp;</SPAN><SPAN style="color: #000000; font-family: inherit;">Link to <SPAN>sk62803</SPAN>&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk62803" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solut...</A></SPAN><SPAN style="color: #000000; font-family: inherit;">&nbsp;and&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk53980" rel="nofollow noopener noreferrer" target="_blank">Site to Site with 3rd party</A></SPAN></P> Wed, 11 Dec 2019 09:40:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-with-Cisco-FTD-local-subnet-natted-key-exchange-with/m-p/70062#M12032 G_W_Albrecht 2019-12-11T09:40:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-with-Cisco-FTD-local-subnet-natted-key-exchange-with/m-p/70064#M12033 <P>Thanks G_W for your answer. I know it's a really old system but I have to deal with it...<BR />I'll review the articles.<BR />Thanks again.<BR />Stefano.</P> Wed, 11 Dec 2019 14:05:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-with-Cisco-FTD-local-subnet-natted-key-exchange-with/m-p/70064#M12033 Stefano_Chiesa 2019-12-11T14:05:33Z