This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Olukayode_Adegb
Participant
‎2019-05-09 09:10 AM

IKEV2 With Cisco ASA

I have a pair of FW on Azure infrastructure. However, I'm not able to establish VPN using IKEV2 from the checkpoint FW to Cisco ASA.

Anyone set VPN up with Cisco ASA before using IKEv2?

 

Regards

Kayode

6 Replies
Vladimir
Champion
Champion
‎2019-05-09 04:00 PM

This really is not a lot to go on, but I believe I have done this in the past.

Take a look at this old thread in CPUG:

https://www.cpug.org/forums/showthread.php/21310-Issue-with-VPN-tunnel-between-Checkpoint-R77-30-and...

and see if anything there can be of use to troubleshoot.

Sean_Van_Loon
Contributor
‎2019-05-10 05:52 AM
In response to Vladimir

My experience with Cisco is that setting up a VPN tunnel is very difficult, because Cisco is very strict with it's configuration.

Most of the time you have a encryption domain mismatch, thus why I would recommend to request the CLI configuration of said Cisco ASA, which will show you how it is exactly configured.

My recommendation is to first configure a (Domain-based) VPN IPSec Tunnel

After that has been setup, see if the tunnel comes up by initiating traffic.

If not, perform an IKE debug and to read it with IKEVIEW (Check Point tool).

 

If it is a mismatch in encryption domains, you have to modify the user.def to specify exactly what should be negotiated.

 

The following SK's will help you with the troubleshooting: 

- Location of crypt.def: sk98241

- Location of user.def: sk98239

- Configure encryption domains to negotiate sk108600 - Scenario1

What information is required to troubleshoot the VPN related issues? sk40114

How to generate a valid VPN debug, IKE debug and FW Monitor: sk33327

- IKEView utility: sk30994

 

Hope this helps!

 

Kind regards,

 

Sean

 

Olukayode_Adegb
Participant
‎2019-05-10 07:53 AM

Hello Mate,

May thanks for your contribution.

Just to add more context to my question, on the checkpoint FW side, the requirement is to hide our internal LAN and so we’ve been asked to NAT to another Private Subnet so this can be advertised as VPN domain. This looks like Private to Private NAT. The traffic looks like this:

CHECKPOINT LAN (10.151.X.X)---->Private subnet (172.x.x.x/24)Public IP (52.X.X.X)------VPN(IKEv2)----->Public (208.X.X.X)Private subnet (207.x.x.x/24) ASA

Any suggestion on how to make this happen will be of great help.

 

Regards

HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2019-05-10 12:12 PM

Tip:

- use IKEv1

- use lower DH groups for example 5

- use main mode

- check first with PSK

- check same phase 1 and phase 2 settings

- check supernet issues

 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2019-05-10 12:18 PM
In response to HeikoAnkenbrand

 

Or see this SK:

VPN Site-to-Site with 3rd party

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Sean_Van_Loon
Contributor
‎2019-05-14 01:22 AM
In response to HeikoAnkenbrand

I would recommend only lowering the DH group temporary, as this is actual one of the most important component in the IPSec VPN security.
As a best practice, it is now recommended to use DH 14 or higher.
The lower the DH group, the easier the keys can be cracked.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events