remote traffic selectors with vti

stallwoodj · ‎2021-09-29

Hi,

We have a remote ASA site which is configured as a universal tunnel back to a FirePower, and looking to migrate the local core to Check Point.

Have set up the vti successfully, and inbound negotiations from 10.xx.xx.0/24 to 0.0.0.0/0 were successful. However, the outbound Quick Mode is failing. The reason is that the Check Point is trying to negotiate a remote proxy-id 0.0.0.0/0 not the 10.x.x.0/24 as defined in the topology of the interop.

Is there a way to force the Check point to select the interop's actual topology, not universal?

Thanks

Jamie

Timothy_Hall · ‎2021-09-29

Scenario 1 of sk108600: VPN Site-to-Site with 3rd party

Make sure to modify the correct user.def* file based on the GATEWAY's version as described here: sk98239 - Location of 'user.def' files on Security Management Server

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

stallwoodj · ‎2021-09-29

Hi Timothy,

I tried setting subnet_for_range_and_peer as 10.x.x.x/24 and unsetting the supernet flag, but it didn't help.

The problem isn't the Check Point's topology which is correctly 0/0, but the topology of the remote end which should be the /24. The Check Point doesn't propose to negotiate SA using that /24.

Thanks

Jamie

the_rock · ‎2021-09-29

What version are you on? There are some settings in gudbedit related to this, I listed some below that might be relevant to your issue, which is pretty much sk Tim provided.

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnet

Technically, all those should be set to false, as otherwise, it would make CP send largest subnet, regardless if thats what you want or not.

Andy

Best,
Andy

Timothy_Hall · ‎2021-09-29

Does your custom subnet per peer definition show up in command fw tab -t subnet_for_range_and_peer when run on the gateway? If not you didn't modify the correct user.def* file for your gateway version.

If you are using at least R80.40 on your SMS you are able to precisely customize the local and remote Proxy-IDs/VPN Domains being requested by the Check Point on the Gateways screen of the VPN Community, and this will still work on gateways older than R80.40 as long as you have at least R80.40 on your SMS.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

stallwoodj · ‎2021-09-29

Hi all,

Firewall and manager are R81. user.def.FW1 is the file I edited, and the range is shown:

localhost:
-------- subnet_for_range_and_peer --------
static, id 540
<cb00713a, 0a1fef00, 0a1fefff; ffffff00>

In the community settings I set ike_p2_enable_supernet_from_R80.20 to false.

I changed global ike_use_largest_possible_subnets to false and pushed policy, but still failing. My test Juniper firewall shows:

Traffic-selector mismatch, vpn name: CHECKPOINT-VTI, Peer Proposed traffic-selector local-ip: ipv4(0.0.0.0-255.255.255.255), Peer Proposed traffic-selector remote-ip: ipv4(0.0.0.0-255.255.255.255)

Here's the globals before I edited the supernet:

There must be something else I'm missing but I can't see what.

Are you a member of CheckMates?

remote traffic selectors with vti