topic Re: VPN IKE NAT Traversal Problems in Spark Firewall (SMB)

VPN IKE NAT Traversal Problems

Somethig_Di — Tue, 07 Dec 2021 10:08:52 GMT

Hello!

I'm testing and trying to create workable topology, when my Checkpoint 1530 firewall stands in front of the network with NAT WAN and behind it's the Cisco 800 which I need to do some a VLANs work, access-lists for the internal network etc. Also I do prefer to create a Site-to-Site VPN on it, because the Checkpoint 1530 doesn't have strong encryption methods, like only a DES method for IKE1 and IKE2.

So I configured the Main office and the Branch office Cisco on site-to-site ipsec (Screen). When I'm trying to ping the PC from Main Office to Branch (through Checkpoint) I have no problem: the tunnel opens and establish, packets reseived by Branch PCs. Logs showed me, that NAT-T on 1530 worked with no problemat this point.

But if I stop the ping proccess from the Main Office or when I try to ping PC from the Branch Office to the Main, the tunnel don't open, because Checkpoint catch packets with IKE proporsal, think, that Cisco from Branch Office trying to establish the tunnel with it. You can see it on my screenshoot named "Log".

So any ideas how can I skip an incoming VPN traffic through Checkpoint without it's accommodation?

Re: VPN IKE NAT Traversal Problems

_Val_ — Tue, 07 Dec 2021 10:38:35 GMT

> Checkpoint 1530 doesn't have strong encryption methods, like only a DES method for IKE1 and IKE2.

I am pretty sure this statement is totally false, unless you are in a country where encryption methods are limited, such as Russia or maybe China. Which version are you running on your SMB appliance?

Re: VPN IKE NAT Traversal Problems

Somethig_Di — Tue, 07 Dec 2021 11:35:13 GMT

It's a R80.20.01 and yes, it's Russia, but we doesn't have a problem with a DH group 2 or 5 in Cisco, for example. But Checkpoint give me only a group 1.

Also, if you ask me why I can't upgrade it - just because after upgrate I have several errors, with whom the support works, so thats why I need the working scheme with Cisco behind.

Re: VPN IKE NAT Traversal Problems

_Val_ — Tue, 07 Dec 2021 12:57:04 GMT

@Amir_Aliev can you please comment of SW here?

Re: VPN IKE NAT Traversal Problems

Amir_Aliev — Tue, 07 Dec 2021 15:36:35 GMT

Fresh install (not upgrade) to latest firmware with USB flash should resolve limited encryption issue.

Re: VPN IKE NAT Traversal Problems

Somethig_Di — Wed, 08 Dec 2021 06:26:11 GMT

Hello!

How can I do that? Where can I find a detailed manual or an instruction? All my current settings will erase?

Re: VPN IKE NAT Traversal Problems

_Val_ — Wed, 08 Dec 2021 10:17:40 GMT

All releases and documentation are available on the product page. For the config, if it is a locally managed appliance, save config file before re-imaging. The appliance will be reset to factory defaults, but you can apply the saved config during the first time wizard.