topic Re: Where does Checkpoint pull the VPN Subnets from for the tunnels ? Strange issues in Firewall and Security Management

Where does Checkpoint pull the VPN Subnets from for the tunnels ? Strange issues

carl_t — Fri, 24 Mar 2023 15:02:10 GMT

Hi Guys

We have created a VPN tunnel between a R81.10 gateway and a Cisco ASA, the setting is one vpn tunnel per subnet pair.

The subnet on the ASA side is 172.16.0.0/12 to the Checkpoint which is 172.28.25.0/24

However when we look at the ASA and do a vpn tu tlist on the Checkpoint we see lots of random tunnels to different subnets within this 172.16.0.0/12 network, for example we see a tunnel formed to 172.24.0.0/14 and 172.16.0.0/13.

Where are these funny subnets being pulled from as none of these are set on the config, why are these showing?

Many thanks

Re: Where does Checkpoint pull the VPN Subnets from for the tunnels ? Strange issues

the_rock — Fri, 24 Mar 2023 15:06:08 GMT

Hey @carl_t

Have a look at recent post and what I gave to fix it. Hates me to type it all now, so just open the link and its all there.

If you have any questions, let me know, we can discuss further.

Cheers mate.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Site-to-site-Disconnects-amp-Questions/m-p/175758#M32093

Re: Where does Checkpoint pull the VPN Subnets from for the tunnels ? Strange issues

carl_t — Fri, 24 Mar 2023 15:14:07 GMT

Hi Andy

Thanks for your response, firstly we are not getting any drops just loads of random SA's

Where is it getting these funny supernets from? for example what makes the checkpoint pick 172.24.0.0/14 even though is is not configured in any vpn settings? or any objects configured on the gateway.

Re: Where does Checkpoint pull the VPN Subnets from for the tunnels ? Strange issues

the_rock — Fri, 24 Mar 2023 15:27:53 GMT

Its from those guidbedit settings I mentioned in the post. So, to make long story short, this had been the problem with Check Point, for I dont know, last 20 years : - )

So, here is really basic example...lets pretend you want CP to advertise /29 to Cisco and thats what Cisco is expecting...fantastic. Now, you do your enc domains, verify everything, install policy and realize its failing on phase 2.

Why you may wonder? Its because Cisco is EXPECTING /29, but CP will always try send largest possible subnet, which would be at least /24 or larger.

So, not shockingly enough, Im fairly positive unless you change those values I mentioned to false, you will 100% continue to see this behavior.

As a matter of fact, this was one of the questions on R81 CCSE exam last year, EXACTLY that : - )

Re: Where does Checkpoint pull the VPN Subnets from for the tunnels ? Strange issues

carl_t — Fri, 24 Mar 2023 15:36:45 GMT

Hi Andy

Its the other way around we are having issues, the ASA is sending 172.16.0.0/12 as its source, but the CP is picking networks within this range and building tunnels back to the ASA on all different subnets, the source subnet FROM the Checkpoint is fine, the issue is destinations from the CP towards the ASA. The ASA sees the correct source from the ASA.

Re: Where does Checkpoint pull the VPN Subnets from for the tunnels ? Strange issues

the_rock — Fri, 24 Mar 2023 15:38:57 GMT

Fair enough. You got simple diagram you can send with this info and how traffic is supposed to flow? Even basic paint drawing would do, Im not picky, as long as I can visualize this : - )

PLEASE blur out any sensitive info.

Tx mate.

Andy

Re: Where does Checkpoint pull the VPN Subnets from for the tunnels ? Strange issues

Danny — Fri, 24 Mar 2023 15:57:10 GMT

What's this tool showing as encryption domains?

Re: Where does Checkpoint pull the VPN Subnets from for the tunnels ? Strange issues

the_rock — Fri, 24 Mar 2023 16:12:20 GMT

Another GREAT tool from you @Danny ...keep them coming mate, you are the BEST!! 🙌🙌🙌