topic Re: VPN Tunnel to Cisco ASA doesn't work in Firewall and Security Management

VPN Tunnel to Cisco ASA doesn't work

Leader_Kiongi — Wed, 29 Mar 2023 12:22:43 GMT

Hello,

We’ve setup a VPN tunnel from our Check Point DC firewall to a Cisco ASA firewall in Australia but it doesn’t work. In logs (and IKEView), we see: Auth exchange: Received notification from peer: Traffic selectors unacceptable MyTSi: <IPv4 Universal Range> MyTSr: <My Peer's public IP>.

We’ve tried what is proposed in sk157473 but no luck.

IKEView (legacy_ikev2.xmll), during authentication, Check Point proposes "IPv4 Universal Range" as its own traffic selector and the IP of the peer as TS for the peer but ASA refuses this in its response. Why doesn't Check Point propose its own public IP as TS ?
Can you help us find the issue?

Thanks in advance for your help.

Regards,

Alain

Re: VPN Tunnel to Cisco ASA doesn't work

G_W_Albrecht — Wed, 29 Mar 2023 12:37:49 GMT

Tried sk108600: VPN Site-to-Site with 3rd party yet ?

Re: VPN Tunnel to Cisco ASA doesn't work

Leader_Kiongi — Wed, 29 Mar 2023 12:41:48 GMT

Thanks @G_W_Albrecht . Yes I already had a look at sk108600 but I don't see any scenario similar to my issue.

Regards,

Alain

Re: VPN Tunnel to Cisco ASA doesn't work

the_rock — Wed, 29 Mar 2023 12:45:10 GMT

Hey @Leader_Kiongi

See if you can do changes I proposed in below link to Rich. Let us know if that helps.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Site-to-site-Disconnects-amp-Questions/m-p/175758#M32093

Re: VPN Tunnel to Cisco ASA doesn't work

G_W_Albrecht — Wed, 29 Mar 2023 13:11:01 GMT

Better contact TAC to get this resolved asap !

Re: VPN Tunnel to Cisco ASA doesn't work

Leader_Kiongi — Wed, 29 Mar 2023 13:37:16 GMT

Thanks @the_rock for your feedback. I could only change ike_p2_enable_supernet_from_R80.20, which can be changed on community basis. ike_enable_supernet and ike_use_largest_possible_subnets are global properties and changing those would have a huge impact on the VPN tunnels that are already working. The thing is that we have many other working tunnels with 3rd parties (Cisco, Fortinet etc...) with those settings set to true. Really don't understand.

Thanks !

Regards,

Alain

Re: VPN Tunnel to Cisco ASA doesn't work

Leader_Kiongi — Wed, 29 Mar 2023 13:38:44 GMT

Yes already opened a ticket with our partner, we don't have direct support with Check Point. But no feedback from them yet.

Re: VPN Tunnel to Cisco ASA doesn't work

the_rock — Wed, 29 Mar 2023 13:41:52 GMT

No worries, I understand. I will tell you I had people change those many times before without any issues. Btw, those values should be set to FALSE to begin with. But, keep us posted on what TAC says.

Andy

Re: VPN Tunnel to Cisco ASA doesn't work

Leader_Kiongi — Thu, 30 Mar 2023 19:13:03 GMT

Hi @the_rock ,

I made the changes, pushed policy and reset the tunnel but still the same error. Something curious is that the tunnel shows as up in SmartView Monitor but ping doesn't work and in SmartConsole and IKEView I see the error "Traffic selectors unacceptable". Check Point still proposes "IPv4 Universal Range" as Traffic Selector, which is rejected by the ASA.

Any idea ?

Thanks !

Regards,

Alain IKULA

Re: VPN Tunnel to Cisco ASA doesn't work

the_rock — Thu, 30 Mar 2023 19:19:17 GMT

How do you have tunnel management tab configured inside vpn community on CP side? Can you send a screenshot please? That message tells me it does not like something about phase 2 config.

Andy

Re: VPN Tunnel to Cisco ASA doesn't work

the_rock — Thu, 30 Mar 2023 19:34:24 GMT

Apologies mate, forgot to attach a screenshot. This is what I was referring to.

Andy

Re: VPN Tunnel to Cisco ASA doesn't work

Wolfgang — Thu, 30 Mar 2023 19:49:02 GMT

@the_rock Andy is on the right way. The problem looks like related to tunnel management settings. Check your settings (subnet pair or gateway pair or host pair) The same must be defined on the Cisco ASA site, this is a common mistake.
Have a look at Site to Site using IKEv2 fails with "None of the traffic selectors match the conection

Is the ASA object configured as interoperable device ?

Re: VPN Tunnel to Cisco ASA doesn't work

the_rock — Thu, 30 Mar 2023 19:55:42 GMT

Thats honestly the only thing left that makes sense to me. @Leader_Kiongi , here is the best Cisco vpn debug commands I got while back from the guy who used to work in Cisco TAC. If you can have them run this, should give better insight as well.

Andy

debug vpn:

debug crypto condition peer x.x.x.x

debug crypto ikev1 200

debug crypto ipsec 200

to cancel all debugs-> undebug all

Re: VPN Tunnel to Cisco ASA doesn't work

Leader_Kiongi — Fri, 31 Mar 2023 08:39:59 GMT

Thanks @Wolfgang @ . Unfortunately, I already tried all tunnel management options (host pair, network pair and gateway pair) but still the same result. Check Point keeps proposing "IPv4 Universal Range" as Traffic Selector, but ASA refuses it. Yes I already had a look at sk157473 and yes Cisco ASA is configured as interoperable device
Thanks !

Regards,

Alain

Re: VPN Tunnel to Cisco ASA doesn't work

nooni — Fri, 31 Mar 2023 09:26:32 GMT

Now i am not sure which steps you already have taken or what Check Point version you are running but

there are some things i would try in an effort to rule out some issues.

IKE Version, are running v1 or v2 in the community ? Possible to switch and test ?

IPv4 summarization, Check Point fw is going to try to summarize the networks in the encryption domain which will cause issues if the other end has 2 /24's for example and Check Point is presenting a /23.

Are there more VPN tunnels to this Check Point endpoint ? Have you considered trying to use "Encryption Domain per Community"

Re: VPN Tunnel to Cisco ASA doesn't work

Leader_Kiongi — Fri, 31 Mar 2023 09:52:19 GMT

Thanks @nooni . We're using IKEv2. Already tested with IKEv1 but same issue. What's curious is that same settings are being used with another Check Point in Azure and it works. The only difference here is that my encryption domain is a test encryption domain with three /32 networks.

IPv4 summarization has been disabled by switching those 3 settings to FALSE using GUIDBedit:

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

I'm hopeless. No feedback yet from TAC.

Thanks !

Regards,

Alain

Re: VPN Tunnel to Cisco ASA doesn't work

the_rock — Fri, 31 Mar 2023 15:05:38 GMT

How is tunnel management configured? Can you send a screenshot please? I referenced to it yesterday : - )

Andy

Re: VPN Tunnel to Cisco ASA doesn't work

Leader_Kiongi — Fri, 31 Mar 2023 15:21:34 GMT

Hello @the_rock. Here you are:

Since around 01.00 PM, tunnel is up, though ping still doesn't work. My colleagues in Australia need to check if they see my incoming ping and maybe firewall rule is missing but traffic is now successfully encrypted in the tunnel. I think the change you proposed here https://community.checkpoint.com/t5/Security-Gateways/Site-to-site-Disconnects-amp-Questions/m-p/175758#M32093 made the trick. We still have to confirm with colleagues in Australia on Monday. I'll keep you posted.

Thanks a lot guys for your support. This community is incredible

Regards,

Alain

Re: VPN Tunnel to Cisco ASA doesn't work

the_rock — Fri, 31 Mar 2023 15:30:44 GMT

@Leader_Kiongi Glad we can help mate, its always team effort on here! Funny story...one time, I was on the phone with TAC guy and the customer (customer I know very well personally) and TAC guy sends us a link and he goes "Here is the link I found, this is the guy called rock on community and I think he knows lots of stuff" and customer says to him "Hm, yea, I always wonder who that dude is" and it took support guy few minutes to figure out it was me HAHAHA

We all laughed about it later, it was sort of funny lol

Though as I said in the post you referenced, I had been know to fix some issues here and there in last 15 years, but nothing like community legend @PhoneBoy

Re: VPN Tunnel to Cisco ASA doesn't work

Leader_Kiongi — Fri, 31 Mar 2023 15:47:10 GMT

This is really funny. I'll mark as solution if our Australian colleagues confirm on Monday.

Have a nice week-end

Regards,

Alain