Help on multiple IPSEC local domains configuration

Checkpoint_CMLi · ‎2017-11-28

Hello to all.

This is my first post on this community groups, I help on the daily management of a VSX cluster R77.30 Checkpoint installation, with virtual Blades. I never used Checkpoint before (but used lot of other FWs) so even after 2 years making some admin on this I still have LOTS of questions on my head about this solution. I dont have any formal training on CP and unfortunately it looks like my "boss" doenst care too much about it, so i will try to post my first questions here looking for someone to give me some light on the problems

We have setup multiple IPSEC site-to-site VPN tunnels. five (5) in this moment but will increase sooner or latter. We are struggling with problems regarding the local domains configurations. As each each tunnel needs some configuration that its different from the others, in the end we must have multiple local domains working. Sometimes we need fully different networks, and other times need some networks that are subnets from anothers.

As I can have just one local domain in a gateway VPN, I ve created a group and added the multiple networks that are needed to establish the tunnels to the multiple entities. This is causing erros in the IKE phases because, i think, sometimes the local networks doesnt match with the nets that the Peers are expecting.

The other problem that i will not talk for now is that i cant debug IPSEC via command line because I have lots of questions on this area too, and as of today I didnt find yet on our multiple blade plus management configuration where I shoudl enter the debug VPN mode and where to look for the logs.... i try to enter on all the blades and gateways and never find any ike logs.

Ive already been told that maybe i wiil have do edit some filesystem files and configure that the multiple local domains a need for each VPN connection. But i cant find nothing on this matter googling around. As if no one had this kind of needs!

I am thinking also, and that is an idea od mine, if one other possible solution could be creating adicional gateways just for taking care of a VPN connection. one gateway for each IPSEC tunnel, so i can have non coincident local domains because each gateway would have its own configurations.

Sorry I am a Noob on all this and i need to find a solution because the number os IPSECS will increase sooner and this problem will then get worst in each VPN increment!

Regards,

Luis Neves

PhoneBoy · ‎2017-11-29

For general VPN debugging, I would start here: Debugging Site-to-Site VPN

For general guidance on VPNs with third parties, start here: VPN Site-to-Site with 3rd party

Checkpoint_CMLi · ‎2017-11-30

Thank you for the links Daemon.

I think my problem is not related to supernetting (and Ive disabled that feature today following the instructions on one of the links you sent) but because when in the IKE phases, our checkpoint send all local domains to the all the peers, and some peers are not expecting so much subnets on the negociation. But i cannot find any solution to this anywhere.

How to send only the subnets one of the peers are configured and expecting for?? and just those,not all of them that are on my local domains group

Luis

Timothy_Hall · ‎2017-11-30

The solution you seek is in the "Scenario 1 - Wrong IPsec IDs are negotiated during IKE Quick Mode" section of sk108600 that Phoneboy already posted.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Checkpoint_CMLi · ‎2017-12-04

I found the user.def filename using the sk98239 nomenclature, Ive modified the file and added the relevant gateways and address data to the subnet_for_range_and_peer config. saved and re-applied the policies via smartdashboard but nothing changed.

Then i tried to run

fw tab -t subnet_for_range_and_peer

and it says
"Local host is not a FireWall-1 module"

Ive did also

fwcml1:0> show version all
Product version Check Point Gaia R77.30
OS build 204
OS kernel version 2.6.18-92cpx86_64
OS edition 64-bit

I think i am not doing the editing in the right place, or maybe I dont have the necessary rights to do it?
I ve entered into VSX cluster and changed context to the VPN gateway (set virtual-system 2). Then created the file $FWDIR/conf/user.def.FW1

Is this file to be created on the VSX cluster, on the managment host or on the VPN Virtual system?

Luis

PhoneBoy · ‎2017-12-04

.def files need to be edited on the management.

If you’re using Multi-Domain, they need to be edited in the domain context.

Which means using the following command before editing: msdenv domain_name

Also after you edit .def files, you need to do a policy install to the relevant gateways.

fw tab commands are run on the VSX Gateway.

Checkpoint_CMLi · ‎2017-12-05

Dameon Welch Abernathy wrote:
.def files need to be edited on the management.
If you’re using Multi-Domain, they need to be edited in the domain context.
Which means using the following command before editing: msdenv domain_name
Also after you edit .def files, you need to do a policy install to the relevant gateways.

fw tab commands are run on the VSX Gateway.

Thanks for replying,

No, we dont have multi domains here, and I am feeling kind of "locked" because I cant use any commands in any machine besides management. any command returns nothing even on expert mode

I presume that any Virtual System Cluster that we have IS a firewall as their ACLs are managed via smartconsole. I try to enter via ssh on each of then and dont have a prompt for any SSH or telnet session. So i enter on the cluster machines (via VIP ou via their IPs) and use the "set virtual-system" command to change context to one of the Firewall virtual machines. After that, nothing, I cant do nothing.

for example:

ssh user@10.14.x.y ( one of the two cluster members)

[Expert@fwcml1:0]#
[Expert@fwcml1:0]# clish
fwcml1:0> ##########################   after clish command I am still on expert mode??)
fwcml1:0> show virtual-system all
Virtual systems list
VS ID       VS NAME
0           0
1           fwcml1_fwvscml01          fw
2           fwcml1_fwvscml02           <---- fw and vpn IPSEC machine
3           fwcml1_fwvswcml           fw
4           fwcml1_fwvscml03          fw
5           fwcml1_fwvscml04          fw

fwcml1:0> set virtual-system 2
Context is set to vsid 2
fwcml1:2>

fwcml1:2> cpview
fwcml1:2> ################################# nothing?

fwcml1:2> cpstat fw
fwcml1:2> ################################## nothing??

|fwcml1:2> expert
Enter expert password:
Wrong password. ########################## I made on purpose just for testing

fwcml1:2> expert
Enter expert password:

Warning! All configuration should be done through clish
You are in expert mode now.

fwcml1:2> ############### Am I on expert mode? why theres no "expert" prompt?

fwcml1:2> cpstat
fwcml1:2> cpview
fwcml1:2>

So, is this normal? Why no return from commands? What I am missing here? I cannot do anything relating my original VPN problem this way, I am really on "expert" mode?

sorry for such basic questions but I am locked here and cant progress to useful stuff, because of my bad knowledge on this

PhoneBoy · ‎2017-12-05

Expert mode allows you to escape from clish to the regular Linux shell.

It seems your default shell is not clish, which basically means you log into Expert mode

You can exit clish in this case (and back to expert mode) with the command exit.

Checkpoint_CMLi · ‎2017-12-05

I ve changed the shell to bash.

Theres no concept of "Expert" mode in clish? if I am in expert in bash, like it seems I am, and I enter clish, do I have all the permissions to do anything? If positive, why the clish commands I do returns nothing at all? Its because Im not in the right "machine" or something else?

Luis

PhoneBoy · ‎2017-12-06

If your default shell is bash, you are already in expert mode.

When to go to clish, you are not in expert mode and a different set of commands are available.

Some commands do not work in clish, but only in expert mode.

In your above example, it appears your attempt to go into expert mode from clish failed for some reason.

However, if you type exit, like I suggested before, you will drop back to bash (i.e. expert mode).

Checkpoint_CMLi · ‎2017-12-06

see this another example:

ssh to management machine

[Expert@fwmgm:0]# vsx stat -v
VSX is not supported on this platform

ssh to cluster IP (VIP) or on a blade real IP

[Expert@fwcml1:0]# vsx stat -v
-bash: vsx: command not found

Checkpoint_CMLi · ‎2017-12-11

I think I am closer to my problem. I looks that I have to source the CP environment, using this

source /etc/profile.d/vsenv.sh or . /etc/profile.d/vsenv.sh

but it returns

-bash: /etc/profile.d/vsenv.sh: Permission denied

the permissions on /etc/profile.d are like this

180246 4 drwxr-xr-x 2 admin root 4096 May 18 2014 .
180225 12 drwxr-xr-x 47 admin root 12288 Nov 30 14:49 ..
180681 4 -rwxr-xr-x 1 admin root   103 Oct 22 2014 CP.csh
180680 4 -rwxr-xr-x 1 admin root    90 Oct 22 2014 CP.sh
180599 4 -rwxr-xr-x 1 admin root 3017 Mar 11 2015 lang.csh
180600 4 -rwxr-xr-x 1 admin root 3219 Mar 11 2015 lang.sh
180390 4 -rwxr-xr-x 1 admin root   122 Dec 21 2007 less.csh
180392 4 -rwxr-xr-x 1 admin root   108 Dec 21 2007 less.sh
180966 4 -rwxr-xr-x 1 admin root    97 Nov 6 2012 vim.csh
180967 4 -rwxr-xr-x 1 admin root   293 Nov 6 2012 vim.sh
180716 4 -rwxrwx--- 1 admin root 2368 Oct 22 2015 vsenv.sh
180594 4 -rwxr-xr-x 1 admin root   170 Dec 11 2007 which-2.sh

so, how can I use this commands? this thing is driving me mad, Its like I am the only one having this problem in this world.

Have an Expert prompt and now how to gain permissions to execute local commands?

Luis

PhoneBoy · ‎2017-12-11

What this suggests to me is that you are logging in as a monitor-level user.

An admin-level user would be able to execute that script (based on permissions).

Why that profile script is restricted to admin-level users, I’m not sure.

Checkpoint_CMLi · ‎2017-12-12

Will try to find that out, I ve already checked "my" roles sometime ago, and didnt find anything alarming, I think, but will go deeper now in that direction

Checkpoint_CMLi · ‎2017-12-12

Created another user with admin permissions and now I can give all commands again Will return to my original problem now, at last!

Checkpoint_CMLi · ‎2017-12-14

Hi, returning to my original question, and resumind again my problem:

We have a working IPSEC connection to an AZURE site, that gave a LOOOOT of headaches to configure
for that tunnel we had to create on the CP gateway a local encryption domain with a single network, for ex 10.0.0.0

the problem is that we use that same CP gateway for other tunnels, other clients, and they need to access other networks besides 10.0.0.0.
the problem is that, as soon I add a new network to the CP local encryption domain (for ex, the 172.16.0.0 one) , the tunnel to AZURE breaks and no longer encrypts traffic destined to AZURE.

I cant find the cause, Ive tried do debug IKE phases but cant even see the new networks being mentioned on the negotiations, so I presume they (172.16.0.0 and others) are not affecting the ike phases.

Ive already tyied configuring the subnet_for_range_and_peer seeting in the user.def.xxx file, but it didnt made any effect. Its like they were doing nothing at all.

So in respect of this I ve got some new questions:

1. this "subnet_for_range_and_peer configuration" is regarding the networks *ON* the REMOTE peers OR the local networks that should be encrypted *TO* the remote peers?, because I presumed it was the second option: MY networks that should go to the remote peer...

2. If using "subnet_for_range_and_peer configuration", what should I do in smartconsole, local gateway settings ->Topology -> local domains? Should be empty, or let it stay as it is, filled with my local networks? They will not override the "subnet_for_range_and_peer" settings?

if 1 and 2 doesnt work, as it looks in my case, how users normaly deal with such situations where they have multiple clients and multiple encryption networks to send to them?? using NAT? But using NAT will cause a really big "administrative overload" as normally the comms are bi-directional and theres lots of machines involved so we have to tune the rules to all of them one-by-one....

PhoneBoy · ‎2017-12-14

The subnet_for_range_and_peer configuration relates to your local networks and how they are represented to the relevant peer.

Note that when you make changes to user.def and similar files, you have to perform a policy installation on the relevant gateways.

You should see the SAs being negotiated differently as a result of these changes when doing the various IKE debugs.

It might also be worth opening a ticket with the TAC to have them help you with this as well.

Contact Support | Check Point Software

Brianpiraty_Ale · ‎2018-06-29

is there any other option if I have two subnets in the encryption domain say 20.x.x.x and 168.x.x.x , without making changes on user.def file to use the one tunnel per subnet?

PhoneBoy · ‎2018-06-29

If the changes to user.def aren't working I suggest engaging with the TAC like I suggested earlier.

Are you a member of CheckMates?

Help on multiple IPSEC local domains configuration