This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rob99-99
Explorer
‎2022-03-14 04:39 PM
Jump to solution

Checkpoint to ASA VPN traffic selection issue

Hi all,

Have a 5800 R80.40 to a ASA 9.6 VPN trying to get up.

Scenario is,
ASA LAN server A to Checkpoint LAN server B
On the checkpoint, ASA LAN server A source is being translated to server C IP. server B gets no nat/original.
Since this is transparent to the ASA, on the ASA the no nat rule says server A and B get no nat.

When initiating traffic on the Cisco side, the ASA debugs makes it seem Phase 1 is ok as far as the crypto and PSK.
On the Cisco debug shows that the correct DH group has been negotiated, NAT-T is in use 4500, PSK has been sent and ESP encapsulation is going on,
Then the ASA sends the traffic selector for the correct source ( server A ) to destination ( server B ) and resends a few times and times out.

On the Checkpoint side, it shows as UP Phase 1, but shows this error.

IKEv2 [NAT-T (IPv4)
auth exchange: sending notification to peer: traffic selectors unacceptable
MyTSi MyTSr:
<has the public IP of the ASA>
<224.0.0.0 - 224.0.0.255>
Peer TSi:
Peer TSr:
<server B IP address>
Do not why the Checkpoint is picking the " public outside " interface IP of the ASA firewall.
Does anyone have any ideas?

Scenario2.jpg
Preview file
105 KB
0 Kudos
2 Solutions

Accepted Solutions
ClauberTeles
Explorer
‎2022-12-15 12:09 PM
In response to G_W_Albrecht
Jump to solution

Hey, G_W_Albrecht, thank you, it helped me.

I've just changed the Tunnel Mode of the VPN Community from"One Tunnel Per Subnet Pair" to "One Tunnel Per Gateway Pair" and all worked, thank you again for posting the sk157473

Best.

View solution in original post

4 Replies
rob99-99
Explorer
‎2022-03-15 10:47 AM
In response to G_W_Albrecht
Jump to solution

Thanks for the links. I had read them before, but didn't see anything exact to my scenario, but will try a few of the things in them.

I had read an article a while that mentioned the traffic selection on the Checkpoint side, being the ASA firewalls interface rather than the IP of the server in the VPN domain, but cannot find that article again.

On the ASA side, I see the traffic selector correct, Server A IP permit any to server B IP.
But on the checkpoint this error, where instead of IP of server A, it is the IP of the ASA interface and 224.0.0.0-224.0.0.255
What does 224.0.0.0-224.0.0.255 mean ?

IKEv2 [NAT-T (IPv4)
auth exchange: sending notification to peer: traffic selectors unacceptable
MyTSi MyTSr:
<has the public IP of the ASA>
<224.0.0.0 - 224.0.0.255>
Peer TSi:
Peer TSr:
<server B IP address>

0 Kudos
ClauberTeles
Explorer
‎2022-12-15 12:09 PM
In response to G_W_Albrecht
Jump to solution

Hey, G_W_Albrecht, thank you, it helped me.

I've just changed the Tunnel Mode of the VPN Community from"One Tunnel Per Subnet Pair" to "One Tunnel Per Gateway Pair" and all worked, thank you again for posting the sk157473

Best.

Greifenstein
Participant
‎2024-08-19 02:21 AM
In response to ClauberTeles
Jump to solution

Thanks!

That helped me configuring a site-to-site VPN with a Fortigate on the peer side with the same errors in the log!

Christian

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top