topic Re: Traffic selector 0.0.0.0/0 in IPSec with CISCO ASA in Firewall and Security Management

Traffic selector 0.0.0.0/0 in IPSec with CISCO ASA

stelsyas — Thu, 25 Apr 2024 08:50:08 GMT

Good morning everyone,

I am setting up IPsec over the Public Internet with many partners around the world. One of my partners uses a Cisco ASA, and there was a problem with that. CheckPoint send traffic selector 0.0.0.0. Cisco rejects the request and IPsec does not up. Has anyone encountered such a problem?

I use CheckPoint 1800 on cluster.

Thanks!

Re: Traffic selector 0.0.0.0/0 in IPSec with CISCO ASA

PhoneBoy — Thu, 25 Apr 2024 14:11:51 GMT

Sounds like both ends disagree on what the encryption domain is and/or you've configured your end to establish a single tunnel for all traffic (0.0.0.0) and the other end isn't configured to accept this.

Re: Traffic selector 0.0.0.0/0 in IPSec with CISCO ASA

stelsyas — Thu, 25 Apr 2024 14:20:33 GMT

Hi PhoneBoy!

I need configure connection between local network 185.xx.xx.xx/29 (my CP) and 91.xx.xx.xx/30 (Cisco).

I added network 185.xx.xx.xx/29 to VPN->Site to Site -> Advanced -> Local ecryption domain is defined manualy...

But CheckPoint on Phase 2 sending traffic selector 0.0.0.0/0. Another firewall (PfSense, Strongswan, Huawei) normal to accept it. The problem is only with Cisco ASA.

Re: Traffic selector 0.0.0.0/0 in IPSec with CISCO ASA

_Val_ — Thu, 25 Apr 2024 14:27:12 GMT

Can you show how you configured your VPN domain on CP side? The issue is, CP only sends 0.0.0.0/0 if the VPN domain is empty.

Re: Traffic selector 0.0.0.0/0 in IPSec with CISCO ASA

Vincent_Bacher — Thu, 25 Apr 2024 14:28:38 GMT

In case you configured the domain to select it's proxy id per pair of gateways, it surely sends 0.0.0.0/0 what is expected behavior.
On the ASA side there should be something like this:

crypto map outside_map 10 match address VPN-Traffic crypto map outside_map 10 set peer <Peer_IP_Address> ! Define the ACL for interesting traffic access-list VPN-Traffic extended permit ip any4 any4

This is how i configured that long time ago

Re: Traffic selector 0.0.0.0/0 in IPSec with CISCO ASA

Vincent_Bacher — Thu, 25 Apr 2024 14:34:51 GMT

And i thought, it's defined in the tunnel management.

Re: Traffic selector 0.0.0.0/0 in IPSec with CISCO ASA

stelsyas — Thu, 25 Apr 2024 14:40:07 GMT

Config on screens:

Re: Traffic selector 0.0.0.0/0 in IPSec with CISCO ASA

stelsyas — Thu, 25 Apr 2024 14:43:19 GMT

IPSec is up if configure the following on the Cisco:
>>access-list VPN-Traffic extended permit ip any4 any4

But in this case, all traffic will be sent via IPSec.

Re: Traffic selector 0.0.0.0/0 in IPSec with CISCO ASA

the_rock — Thu, 25 Apr 2024 15:02:55 GMT

Just configure it as permanent tunnel using VTIs and set option @Vincent_Bacher advised in the community. I had done this many times and works without any issues. If you need help, just ping me.

Andy

Re: Traffic selector 0.0.0.0/0 in IPSec with CISCO ASA

Timothy_Hall — Thu, 25 Apr 2024 21:37:08 GMT

Just to clarify the "one tunnel per gateway pair" is sometimes called "double quad zeroes" or a "universal tunnel" by some vendors if it helps locate their proper documentation for this setup.

Re: Traffic selector 0.0.0.0/0 in IPSec with CISCO ASA

the_rock — Thu, 25 Apr 2024 21:44:18 GMT

Super valid point...I know Fortinet calls it that all the time, not sure about Cisco, but its probably the same thing.

Andy

Re: Traffic selector 0.0.0.0/0 in IPSec with CISCO ASA

Vincent_Bacher — Fri, 26 Apr 2024 05:01:21 GMT

Interesting. I configured masses of VPN tunnels at FortiGate devices and never heard that wording 😄

Re: Traffic selector 0.0.0.0/0 in IPSec with CISCO ASA

the_rock — Fri, 26 Apr 2024 11:26:08 GMT

Now you have 😉

Andy