topic Re: 1800 SMB devices and site to site VPN in Spark Firewall (SMB)

1800 SMB devices and site to site VPN

Nima_Chogyal — Thu, 17 Nov 2022 06:23:33 GMT

I have a customer that has 4 1800 SMB appliances which is integrated with their existing Enterprise management software. They have 4 gws with site to site VPN configured.Recently,they have been facing alot of issues with their VPN connection after they migrated to the new appliances. I had raised several cases with checkpoint support and they have not been able to pin point the issue as well. It just works sometimes and then it stops working(Usually after policy installation). Checkpoint TAC support has not been able to solve the issue after countless escalation of the cases aswell. After hours of troubleshooting it just starts to work again and then we dont make changes to the gws anymore. We have done a VPN debug aswell but it has not proved fruitful.

When the gws first started to show errors with VPN i did the following to solve it:

1.Followed sk102712 to make the change about firewalls
2. on the firewall side, changed $FWDIR/conf/masters
with management IP address

The two steps above solved my VPN issue for awhile. After a few months, although the symptoms of the VPN issue was the same, the above steps didnt help me at all. So the only immediate solution for me was to make one of the gws(downtime cannot be tolerated during office hours) in standalone mode.

The customer has been complaining that he wants the standalone gw to be integrated to the management aswell so last night when i tried to install the policy, it fails midway. Funny thing is that, policy is installed(Access policy only)VPN is up,i can ping the management server's ip address from the gw and all the internal services but in the smart console it shows "connection is lost"for that specific gw, although i can ping,etc to the management server from that gw. I cant make further changes to the gw.

Note that the policy is any any accept.

So i read an SK on r81.10.x and SMB devices are supposed to work like a enterprise gateway as it inherits the code base from r81.10 GA version from enterprise appliances. So, will upgrading my management software and the gws to R81.10 help me solve this issue? Because all the configuration on the management server was working fine with the 4000 series appliances.

Would highly appreciate it if a SMB specialist could advice me on this.

Re: 1800 SMB devices and site to site VPN

G_W_Albrecht — Thu, 17 Nov 2022 07:57:16 GMT

Many things are different with SMB, so it could well be that the same config had worked well with 4000.

Re: 1800 SMB devices and site to site VPN

Dafna — Thu, 17 Nov 2022 11:35:10 GMT

Hi,

My name is Dafna, I'm a team leader in the SMB area.

R81.10 is now available for EA. You can join our EA and upgrade your GW to R81.10.

R81.10 contains many fixes which are relevant for VPN.

Please contact me via mail to continue the process.

Thanks,

Dafna dafnam@checkpoint,com

Thanks,

Dafna

Re: 1800 SMB devices and site to site VPN

G_W_Albrecht — Thu, 17 Nov 2022 12:02:17 GMT

You speak of R81.10.05 for centrally managed appliances ?

Re: 1800 SMB devices and site to site VPN

Dafna — Thu, 17 Nov 2022 13:48:13 GMT

R81.10.00

Re: 1800 SMB devices and site to site VPN

RS_Daniel — Thu, 17 Nov 2022 14:35:57 GMT

Hello,

Without some more details i am not sure what can be wrong exactly, some captures, logs, drops would be needed. Just guessing, try to the fw ctl zdebug drop filtering by the peer public ip address, check if you have drops like these:

dropped by fw_ipsec_encrypt_on_tunnel_instance Reason: No error - tunnel is not yet established;

If you see that try excluding IPsec, Ike and NAT-T services from encryption in your vpn community object. In a past case for a 1800 centrally managed (like yours) vpn had outages from time to time, during the problem the firewall tried to encrypt the negotiation traffic, TAC could not explain why but the exclusion solved the problem. HTH.

Regards

Re: 1800 SMB devices and site to site VPN

Nima_Chogyal — Thu, 17 Nov 2022 14:48:23 GMT

Dear Daniel,

Once i push the policy to the gws, all the gws lose connection to the management server and i cant make any more changes to it. I have to literally remove ike SA's from the gws and unload the policy to make it reachable. Is there a SK that i could use to exclude NAT-T and ike services from encryption?

Re: 1800 SMB devices and site to site VPN

Nima_Chogyal — Thu, 17 Nov 2022 14:53:09 GMT

Hi Dafna,

I will send you an email to join the EA program. Thank you very much.

regards,

Nima

Re: 1800 SMB devices and site to site VPN

RS_Daniel — Thu, 17 Nov 2022 15:16:12 GMT

Hello,

To exclude services from encryption configure the vpn community as per the image below:

I think you lose connection between the management and the gateways because of the vpn problem. I usually exclude the public IP address of all the gateways from encryption so management does not need the vpn to be up. To do this, edit the crypt.def file adding all the public ip address from gateways as dst, you can check sk108600 scenario 3 for reference, it would see something like this:

#ifndef IPV6_FLAVOR
#define NON_VPN_TRAFFIC_RULES (
dst=Destination_IPv4_address_1 or \
dst=Destination_IPv4_address_2 or \
dst=Destination_IPv4_address_3 or \
dst=Destination_IPv4_address_4 \
)
#else
#define NON_VPN_TRAFFIC_RULES 0
#endif

The correct crypt.def file depends on the version of management an gateways, for example for a R81.10 management and 1800 gateways, the file is /opt/CPSFWR80CMP-R81.10/lib/crypt.def, you can check the admin guide of management for reference.

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SecurityManagement_AdminGuide/Topics-SECMG/Configuring_Implied_Rules_or_Kernel_Tables_for_Security_Gateways_crypt.def.htm?Highlight=crypt.def

Regards

Re: 1800 SMB devices and site to site VPN

RS_Daniel — Thu, 17 Nov 2022 15:18:12 GMT