topic Re: Site to Site IPsec VPN with Strongswan in Spark Firewall (SMB)

Site to Site IPsec VPN with Strongswan

ANANTADSULE — Sat, 21 Sep 2024 12:34:50 GMT

Dear All,

I'm trying to create IPsec tunnel with Strong Swan with below configuration.

Left Side is Strong Swan

Right Side is Checkpoint R81.10.10(945)

--------------------------

conn ho
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=%defaultroute
leftid=13.126.xx.xx
leftsubnet=10.90.0.0/20
right=59.94.xx.xx
rightid=%any
rightsubnet = 192.168.10.0/26
ike=aes256-sha256-modp1024!
esp=aes256-sha256!
aggressive=no
forceencaps=yes
leftauth=psk
rightauth=psk
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=20s
dpdtimeout=120s
dpdaction=restart

------------------------------

Checkpoint config screenshot attached.

Re: Site to Site IPsec VPN with Strongswan

the_rock — Sat, 21 Sep 2024 14:41:06 GMT

We need more info. Where does it fail, phase 1, phase 2? Did you do any tcpdumps, debugs? Also, any relevant logs would help, for sure.

Best,

Andy

Re: Site to Site IPsec VPN with Strongswan

ANANTADSULE — Mon, 23 Sep 2024 09:28:43 GMT

Hello Sir,

VPN debug logs & VPN tunnel screenshot attached herewith.

Re: Site to Site IPsec VPN with Strongswan

ANANTADSULE — Mon, 23 Sep 2024 10:20:14 GMT

Informational exchange: Sending notification to peer: Invalid IKE SPI IKE SPIs: 0faf1db83dbbed18:f534262a58300b19, Refer to sk181787 for elaboration on this reason

Re: Site to Site IPsec VPN with Strongswan

the_rock — Mon, 23 Sep 2024 10:38:13 GMT

will check later.

Andy

Re: Site to Site IPsec VPN with Strongswan

ANANTADSULE — Mon, 23 Sep 2024 11:16:14 GMT

Only Phase 1 comes up & then got down

Re: Site to Site IPsec VPN with Strongswan

the_rock — Mon, 23 Sep 2024 11:31:53 GMT

Just had a quick look and I see below messages. I would make sure everything in phase 1 is matching, including pSK, because there are only so many things that could be mismatched. Also, is this supposed to be permanent tunnel or not? I ask because it shows DPD errors.

Andy

Line 707: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for 13.126.XX.XX returned obj: 0x91d1ee8
Line 716: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44] GetEntryXIsakmpObjectsHash: received ipaddr: 13.126.XX.XX as key, found fwobj: AWS_VPN_BSNL
Line 717: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for 13.126.XX.XX returned obj: 0x91d1ee8
Line 718: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44] canonize_gw: Canonized ip is the same as original ip 13.126.XX.XX
Line 721: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44][tunnel] UDPConnection::UDPConnection: Enter (copy ctor) peer: 13.126.XX.XX
Line 728: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44][ikev2] ikeExchangeFlowHandler::createResponderExchange: entering. peer: 13.126.XX.XX, peer_ip: 13.126.XX.XX, my_ip: 59.94.XX.XX, port: 4500, local_os_ifn: 0, local_ifn: -1
Line 735: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44][ikev2] peer: (ext addr: 13.126.XX.XX). peer_ip: 0.0.0.0 Using port 4500
Line 741: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44][ikev2] doCreateOrder: enter with peer 13.126.XX.XX peer_ip 13.126.XX.XX
Line 742: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44][ikev2] ikev2Mediator::getIKEPeerObj: entering: ipaddr 13.126.XX.XX
Line 743: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44] GetEntryXIsakmpObjectsHash: received ipaddr: 13.126.XX.XX as key, found fwobj: AWS_VPN_BSNL
Line 744: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for 13.126.XX.XX returned obj: 0x91d1ee8
Line 749: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44][ikev2] ikeSimpOrder::createVpnDbHandle: found a common community with 13.126.XX.XX. Not using granular crypto settings.
Line 755: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44][ikev2] ikeSimpOrder::setIPs: Set Peer: 13.126.XX.XX, IP to use: 13.126.XX.XX
Line 756: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44][ikev2] ikeSimpOrder::setTunnelIPs: Peer: 13.126.XX.XX, My_ip: 0.0.0.0 Peer_ip: 0.0.0.0, local_ifn -1, local_os_ifn 0
Line 806: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44][ikev2] peer: (ext addr: 13.126.XX.XX). peer_ip: 0.0.0.0 Using port 4500
Line 819: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44][ikev2] peer: (ext addr: 13.126.XX.XX). peer_ip: 0.0.0.0 Using port 4500
Line 836: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44] canonize_gw_legacy: enter 13.126.XX.XX
Line 837: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44] GetEntryXIsakmpObjectsHash: received ipaddr: 13.126.XX.XX as key, found fwobj: AWS_VPN_BSNL
Line 869: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44][io] [SOCKETS][IKE]: Sending 84 IKE bytes to 13.126.XX.XX
Line 870: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:44][ikev2] ikev2Mediator::sendPacket: Sent 80 bytes using NAT-T (IPv4) to 13.126.XX.XX
Line 1052: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][tunnel] tnlmon_transmitter_cb: entering: key <13.126.XX.XX, 1>
Line 1054: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54] canonize_gw_legacy: enter 13.126.XX.XX
Line 1055: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54] GetEntryXIsakmpObjectsHash: received ipaddr: 13.126.XX.XX as key, found fwobj: AWS_VPN_BSNL
Line 1057: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][tunnel] tnlmon_transmitter_cb: Gateway IP is: 13.126.XX.XX
Line 1058: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][tunnel] tnlmon_transmitter_cb: try to send DPD Request to GW 13.126.XX.XX
Line 1059: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][tunnel] tnlmon_transmitter_cb: pKey->gateway:13.126.XX.XX, pKey->type:1, timeout:30
Line 1060: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][tunnel] send_dpd: entering: peer 13.126.XX.XX, transmitter_interval 30
Line 1061: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][tunnel] get_dpd_initiator_peers_hash: search for peer 13.126.XX.XX
Line 1062: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][tunnel] get_dpd_initiator_peers_hash: found peer 13.126.XX.XX in dpd_initiator_peers hash
Line 1064: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][tunnel] get_dpd_initiator_peers_hash: search for peer 13.126.XX.XX
Line 1065: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][tunnel] get_dpd_initiator_peers_hash: found peer 13.126.XX.XX in dpd_initiator_peers hash
Line 1066: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][tunnel] update_peer_in_dpd_initiator_peers_hash: peer 13.126.XX.XX, call CB: 1
Line 1067: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54] GetEntryXIsakmpObjectsHash: received ipaddr: 13.126.XX.XX as key, found fwobj: AWS_VPN_BSNL
Line 1068: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for 13.126.XX.XX returned obj: 0x91d1ee8
Line 1075: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][tunnel] send_dpd_notification: entering: peer 13.126.XX.XX
Line 1076: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][tunnel] get_dpd_initiator_peers_hash: search for peer 13.126.XX.XX
Line 1077: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][tunnel] get_dpd_initiator_peers_hash: found peer 13.126.XX.XX in dpd_initiator_peers hash
Line 1078: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54] GetEntryXIsakmpObjectsHash: received ipaddr: 13.126.XX.XX as key, found fwobj: AWS_VPN_BSNL
Line 1079: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for 13.126.XX.XX returned obj: 0x91d1ee8
Line 1084: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][ikev2] invoke_send_DPD: enter with peer: 13.126.XX.XX peer_ip: inx invalid type (0) my_ip: inx invalid type (0) local_ifn: -1
Line 1085: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][ikev2] ikev2Mediator::getSPIsByPeer: looking in peer_ikesa table for: <peer=13.126.XX.XX, user_hash=0, local_ifn=-1, peer_ip=inx invalid type (0)> ip_type=1
Line 1092: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][ikev2] peer: (ext addr: 13.126.XX.XX). peer_ip: 0.0.0.0 Using port 4500
Line 1098: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][ikev2] ikeExchangeFlowHandler::SendDPD: Send DPD to peer 13.126.XX.XX and SPIs a62a8a4d6eb13b93:0cbf35aa7f2baf9f, timeout is 30
Line 1099: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][ikev2] doCreateOrder: enter with peer 13.126.XX.XX peer_ip 0.0.0.0
Line 1100: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54][ikev2] ikev2Mediator::getIKEPeerObj: entering: ipaddr 13.126.XX.XX
Line 1101: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54] GetEntryXIsakmpObjectsHash: received ipaddr: 13.126.XX.XX as key, found fwobj: AWS_VPN_BSNL
Line 1102: [iked 11923 4156895088]@AMALCO-HO[23 Sep 14:44:54] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for 13.126.XX.XX returned obj: 0x91d1ee8

Re: Site to Site IPsec VPN with Strongswan

the_rock — Mon, 23 Sep 2024 11:34:44 GMT

I cant sadly paste the content of the sk, as it would violate community policies, but I had a quick look at it and it pretty much alligns with what I mentioned in my last response to check settings for phase 1, that they match on both ends.

Best,

Andy

Re: Site to Site IPsec VPN with Strongswan

the_rock — Mon, 23 Sep 2024 12:06:22 GMT

@ANANTADSULE Ping me directly if you like, we can do remote session...Im just studying for Microsoft exam I have tomorrow, but I can help, not an issue.

Let me know.

Andy

Re: Site to Site IPsec VPN with Strongswan

_Val_ — Mon, 23 Sep 2024 13:46:43 GMT

You still can post a link to that SK, or just it's ID

Re: Site to Site IPsec VPN with Strongswan

the_rock — Mon, 23 Sep 2024 14:24:50 GMT

Here is the link. @ANANTADSULE , if you can access it, you can check that error mentioned, but as I mentioned, it pretty much boils down to making sure everything in phase 1 matches on both ends.

Andy

https://support.checkpoint.com/results/sk/sk181787

Re: Site to Site IPsec VPN with Strongswan

ANANTADSULE — Wed, 25 Sep 2024 07:00:15 GMT

Yes,This is permanent tunnel.

What we can do to match or identify the exact issue with Phase 2.

Please help

Re: Site to Site IPsec VPN with Strongswan

the_rock — Thu, 03 Oct 2024 12:51:59 GMT

Hey guys,

Just to update quick, I had remote with Anant and below is what we observed.

-tunnel shows as UP on both sides

-on CP 1500 smb appliance, running vpn tu list peer_ike and peer_ipsec flags show entries, meaning both phase 1 and 2 are working

-now, through rules are there and vpn domains are 100% correct, all works from strongswan side, but NOT cp end, log shows according to policy, packet should not have been decrypted

Since there is built in gui vpn debug tool, probably good idea to give that a go. I also advised to try reset tunnel on both ends.

@ANANTADSULE , if you could, I would also reboot smb after hours.

Alternatively, I would also open TAC case and see what they say. Sorry mate, wish I was more skilled with smb appliances...

Best,

Andy

Re: Site to Site IPsec VPN with Strongswan

ANANTADSULE — Fri, 04 Oct 2024 11:34:40 GMT

Dear all,

I have opened case ID 6-0004079065 with TAC & hope for quicker resolution.

I also request you all the experts and checkpoint team to support in this issue.

Thanks Andy for your valuable time.

Your help is highly appreciated.

Re: Site to Site IPsec VPN with Strongswan

the_rock — Fri, 04 Oct 2024 18:06:57 GMT

Any time man, I am always happy to do remote. Please show TAC things we checked over zoom, I believe its important.

Best,

Andy