topic Re: IKEV2 With Cisco ASA in General Topics

IKEV2 With Cisco ASA

Olukayode_Adegb — Thu, 09 May 2019 16:10:05 GMT

I have a pair of FW on Azure infrastructure. However, I'm not able to establish VPN using IKEV2 from the checkpoint FW to Cisco ASA.

Anyone set VPN up with Cisco ASA before using IKEv2?

Regards

Kayode

Re: IKEV2 With Cisco ASA

Vladimir — Thu, 09 May 2019 23:00:28 GMT

This really is not a lot to go on, but I believe I have done this in the past.

Take a look at this old thread in CPUG:

https://www.cpug.org/forums/showthread.php/21310-Issue-with-VPN-tunnel-between-Checkpoint-R77-30-and-Cisco-ASA

and see if anything there can be of use to troubleshoot.

Re: IKEV2 With Cisco ASA

Sean_Van_Loon — Fri, 10 May 2019 12:52:44 GMT

My experience with Cisco is that setting up a VPN tunnel is very difficult, because Cisco is very strict with it's configuration.

Most of the time you have a encryption domain mismatch, thus why I would recommend to request the CLI configuration of said Cisco ASA, which will show you how it is exactly configured.

My recommendation is to first configure a (Domain-based) VPN IPSec Tunnel

After that has been setup, see if the tunnel comes up by initiating traffic.

If not, perform an IKE debug and to read it with IKEVIEW (Check Point tool).

If it is a mismatch in encryption domains, you have to modify the user.def to specify exactly what should be negotiated.

The following SK's will help you with the troubleshooting:

- Location of crypt.def: sk98241

- Location of user.def: sk98239

- Configure encryption domains to negotiate sk108600 - Scenario1

- What information is required to troubleshoot the VPN related issues? sk40114

- How to generate a valid VPN debug, IKE debug and FW Monitor: sk33327

- IKEView utility: sk30994

Hope this helps!

Kind regards,

Sean

Re: IKEV2 With Cisco ASA

Olukayode_Adegb — Fri, 10 May 2019 14:53:51 GMT

Hello Mate,

May thanks for your contribution.

Just to add more context to my question, on the checkpoint FW side, the requirement is to hide our internal LAN and so we’ve been asked to NAT to another Private Subnet so this can be advertised as VPN domain. This looks like Private to Private NAT. The traffic looks like this:

CHECKPOINT LAN (10.151.X.X)---->Private subnet (172.x.x.x/24)Public IP (52.X.X.X)------VPN(IKEv2)----->Public (208.X.X.X)Private subnet (207.x.x.x/24) ASA

Any suggestion on how to make this happen will be of great help.

Regards

Re: IKEV2 With Cisco ASA

HeikoAnkenbrand — Fri, 10 May 2019 19:12:27 GMT

Tip:

- use IKEv1

- use lower DH groups for example 5

- use main mode

- check first with PSK

- check same phase 1 and phase 2 settings

- check supernet issues

Re: IKEV2 With Cisco ASA

HeikoAnkenbrand — Fri, 10 May 2019 19:22:03 GMT

Or see this SK:

VPN Site-to-Site with 3rd party

Re: IKEV2 With Cisco ASA

Sean_Van_Loon — Tue, 14 May 2019 08:22:03 GMT

I would recommend only lowering the DH group temporary, as this is actual one of the most important component in the IPSec VPN security.
As a best practice, it is now recommended to use DH 14 or higher.
The lower the DH group, the easier the keys can be cracked.