topic Re: VPN with 3rdparty in Firewall and Security Management

VPN with 3rdparty

SkipperNavy — Sat, 30 Mar 2024 01:07:31 GMT

Hello community,

i have an issue on my configuration of vpn ipsec with 3rd party ( juniper), let me explain:

i created a vpn betwenn my cluster ( R80.40) and a remote Juniper Gateway.

traffic from juniper side to network behind my cluster CP is ok.

traffic from my to network to remote network is KO.

the configuration of my VPN domain: local 10.167.52.0/24 and remote 10.167.200.0/24

the same proxy id are configured on the juniper side.

tunnel management: one vpn tunnel per subnet pair

when investigating i find that ikep2 is ko ( CP to juniper)

on the juniper; IPSec negotiation failed with error: Peer proposed traffic-selectors are not in configured range

on the cp: Child SA exchange: Received notification from peer: Traffic selectors unacceptable MyTSi: <10.167.0.0 - 10.167.255.255> MyTSr: <10.167.200.0 - 10.167.200.255>

This is due to supernetting, i assume. i made change as described on other discussion:

Guidbedit values to change to FALSE:

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

but my cp gateway still send /16 instead of /24

can someone help on this?

Re: VPN with 3rdparty

the_rock — Sat, 30 Mar 2024 01:24:49 GMT

Did you install policy after making those guidbedit changes?

Andy

Re: VPN with 3rdparty

SkipperNavy — Sat, 30 Mar 2024 01:44:19 GMT

Yes, i saved, the installed the policy.

i also tried to force the /24 via user.def.fw1 but still ko.

so i roll back the user.def.fw1

Re: VPN with 3rdparty

the_rock — Sat, 30 Mar 2024 01:51:05 GMT

Is there any natting inside the community?

Re: VPN with 3rdparty

the_rock — Sat, 30 Mar 2024 02:54:00 GMT

I would do quick debug on CP side to see what it shows. Get iked and vpnd files from $FWDIR/log dir and run vpn iked calculate peer_ip_address to see which iked files are relevant

vpn debug trunc

vpn debug ikeon

-try generate some traffic

vpndebug ikeoff

Best,

Andy

Re: VPN with 3rdparty

SkipperNavy — Sat, 30 Mar 2024 07:57:57 GMT

Nat-t is enabled. This is necessary on juniper side.

Re: VPN with 3rdparty

Chris_Atkinson — Sat, 30 Mar 2024 23:27:34 GMT

How are you clearing your VPN between attempts/changes?

Which Jumbo take is present on these systems?

Note R80.40 will be EOL next month.

Re: VPN with 3rdparty

the_rock — Sat, 30 Mar 2024 12:08:23 GMT

Makes sense, I heard that about Juniper before. Hey, is this enabled or not on CP side inside vpn community settings?

Andy

Re: VPN with 3rdparty

SkipperNavy — Sat, 30 Mar 2024 12:32:55 GMT

Please what do you mean by run vpn iked calculate?

Re: VPN with 3rdparty

the_rock — Sat, 30 Mar 2024 12:44:04 GMT

What I mean is this.

Andy

[Expert@cpazurecluster1:0]# vpn iked calculate 20.151.89.116

vpn: Address 20.151.89.116 is handled by IKED 0

[Expert@cpazurecluster1:0]#

And what above means is that when you run debug, you ONLY care about iked0 files.

Re: VPN with 3rdparty

SkipperNavy — Sat, 30 Mar 2024 13:00:00 GMT

Re: VPN with 3rdparty

SkipperNavy — Sat, 30 Mar 2024 13:03:23 GMT

I tried running the command in expert mode but it return:

Unknown command « iked »

Re: VPN with 3rdparty

the_rock — Sat, 30 Mar 2024 13:04:49 GMT

Just type vpn from expert mode and see if iked shows up in the menu, as below

[Expert@cpazurecluster1:0]# vpn
Usage:
vpn debug ... # print debug msgs to VPN log files
vpn iked # various 'iked' related commands
vpn cccd # various 'cccd' related commands
vpn crl_zap # erase all CRLs from cache
vpn drv ... # attach vpn driver to fw driver and more
vpn ver [-k] # display VPN version
vpn crlview ... # debugging tool for CRLs
vpn compstat # display compression/decompression statistics
vpn compreset # reset compression/decompression statistics
vpn macutil [user_name] # display generated MAC address by username or
# DN from arg or stdin (also: vpn mu)
vpn tunnelutil # launch TunnelUtil tool to control
# VPN Tunnels (also: vpn tu)
vpn nssm_topology ... # generate topology in NSSM format for
# Nokia clients
vpn rll dump fileName/sync # Route Lookup Layer: Dump DB
# Sync DB
vpn overlap_encdom ... # Display overlapping encryption domains
vpn dll dump fileName # DNS Lookup Layer: Dump DB
vpn dll resolve [hostname] # Request Resolve
vpn 3rd_party_mep #
vpn ipafile_check filename [level] # Verify candidate for ipassignment.conf
vpn set_slim_server ... # Starting/stopping the slim web server
vpn set_snx_encdom_groups ... # enabling/disabling the encryption domain
# per usergroup feature for snx
vpn mep_refresh # Initiate MEP re-decision in case of
# backup stickiness configuration
vpn rim_cleanup # Clean RIM routes
vpn shell ... # Command Line Interface
vpn set_trac disable/enable # Starting/Stopping trac server
vpn neo_proto [on/off] # switching neo client protocol
vpn show_tcpt # show visitor mode users
vpn check_ttm # Check if a ttm file is valid
vpn dump_psk # dump hash (SHA256) of peers pre-shared-keys
vpn snx_unban # Reset the failed login attempt history of a client IP address
[Expert@cpazurecluster1:0]#

Re: VPN with 3rdparty

SkipperNavy — Sat, 30 Mar 2024 13:07:30 GMT

There is no iked option with vpn colmand

thank you

Re: VPN with 3rdparty

the_rock — Sat, 30 Mar 2024 13:09:25 GMT

Ok, no worries. Lets do remote if you are allowed, I think we can figure this out.

If yes, just DM me and I can send you zoom.

Andy

Re: VPN with 3rdparty

Timothy_Hall — Sat, 30 Mar 2024 13:12:24 GMT

Traffic selectors proposed to a Juniper must match precisely, it will not accept a subset. However the Check Point will accept a subset if the Juniper proposes it, which is why the Juniper can bring the tunnel up, but if the Check Point is the initiator it cannot.

Make sure "disable NAT in VPN Community" is set as the_rock mentioned.

The GUIdbedit largest_possible_subnet and user.def hacks are no longer needed as you can now set precise VPN domains per VPN Community. I'm pretty sure this capability was added in R80.40 which is the release you are using. On the VPN Community screen shown below, override the VPN Domain "IP addresses based on object topology" setting for both community members like this:

Re: VPN with 3rdparty

SkipperNavy — Sat, 30 Mar 2024 13:53:39 GMT

Thank you the-rock but i can use remote, company restriction.

if i disable nat on cp, is it necessary to do the same on juniper?

Re: VPN with 3rdparty

the_rock — Sat, 30 Mar 2024 13:56:53 GMT

Correct.

Re: VPN with 3rdparty

SkipperNavy — Sat, 30 Mar 2024 14:08:59 GMT

Hello, i made all this change but my cp gateway still send /16 as MyTSI

can someone explain me to understand how the gateway obtain /16?

thank you in advance

Re: VPN with 3rdparty

the_rock — Sat, 30 Mar 2024 14:20:06 GMT

Can you please send screenshots of changes you made in guidbedit, as well as community settings? Please blue out any sensitive info. Also, do the debug I mentioned last nite.

vpn debug trunc

vpn debug ikeon

-try generate some traffic

vpn debug ikeoff

Look for iked and vpnd files in $FWDIR/log dir

Best,

Andy