This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Olukayode_Adegb
Participant
‎2019-05-09 09:10 AM

IKEV2 With Cisco ASA

I have a pair of FW on Azure infrastructure. However, I'm not able to establish VPN using IKEV2 from the checkpoint FW to Cisco ASA.

Anyone set VPN up with Cisco ASA before using IKEv2?

 

Regards

Kayode

Reply
6 Replies
Vladimir
Champion
Champion
‎2019-05-09 04:00 PM

This really is not a lot to go on, but I believe I have done this in the past.

Take a look at this old thread in CPUG:

https://www.cpug.org/forums/showthread.php/21310-Issue-with-VPN-tunnel-between-Checkpoint-R77-30-and...

and see if anything there can be of use to troubleshoot.

Reply
Sean_Van_Loon
Contributor
‎2019-05-10 05:52 AM
In response to Vladimir

My experience with Cisco is that setting up a VPN tunnel is very difficult, because Cisco is very strict with it's configuration.

Most of the time you have a encryption domain mismatch, thus why I would recommend to request the CLI configuration of said Cisco ASA, which will show you how it is exactly configured.

My recommendation is to first configure a (Domain-based) VPN IPSec Tunnel

After that has been setup, see if the tunnel comes up by initiating traffic.

If not, perform an IKE debug and to read it with IKEVIEW (Check Point tool).

 

If it is a mismatch in encryption domains, you have to modify the user.def to specify exactly what should be negotiated.

 

The following SK's will help you with the troubleshooting: 

- Location of crypt.def: sk98241

- Location of user.def: sk98239

- Configure encryption domains to negotiate sk108600 - Scenario1

What information is required to troubleshoot the VPN related issues? sk40114

How to generate a valid VPN debug, IKE debug and FW Monitor: sk33327

- IKEView utility: sk30994

 

Hope this helps!

 

Kind regards,

 

Sean

 

Reply
Olukayode_Adegb
Participant
‎2019-05-10 07:53 AM

Hello Mate,

May thanks for your contribution.

Just to add more context to my question, on the checkpoint FW side, the requirement is to hide our internal LAN and so we’ve been asked to NAT to another Private Subnet so this can be advertised as VPN domain. This looks like Private to Private NAT. The traffic looks like this:

CHECKPOINT LAN (10.151.X.X)---->Private subnet (172.x.x.x/24)Public IP (52.X.X.X)------VPN(IKEv2)----->Public (208.X.X.X)Private subnet (207.x.x.x/24) ASA

Any suggestion on how to make this happen will be of great help.

 

Regards

Reply
HeikoAnkenbrand
Champion
Champion
‎2019-05-10 12:12 PM

Tip:

- use IKEv1

- use lower DH groups for example 5

- use main mode

- check first with PSK

- check same phase 1 and phase 2 settings

- check supernet issues

 

Reply
HeikoAnkenbrand
Champion
Champion
‎2019-05-10 12:18 PM
In response to HeikoAnkenbrand

 

Or see this SK:

VPN Site-to-Site with 3rd party

Reply
Sean_Van_Loon
Contributor
‎2019-05-14 01:22 AM
In response to HeikoAnkenbrand

I would recommend only lowering the DH group temporary, as this is actual one of the most important component in the IPSec VPN security.
As a best practice, it is now recommended to use DH 14 or higher.
The lower the DH group, the easier the keys can be cracked.
Reply