This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RKinsp
Contributor
‎2021-06-18 10:40 AM

Is it possible to deny an IPSEC Phase 2?

Hey guys,

We are having a site-to-site VPN issue. The remote end (Cisco Router) uses the same phase 2 selectors for multiple peers. On our side, the security gateway is accepting all Phase 2 selectors, regardless of what is configured in encryption domain.

Is it possible to have the security gateway reject phase 2 selectors that are not configured?

We are running R81 take 17.

Thanks in advance,

RK

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2021-06-18 01:10 PM

What precisely has been configured versus what has been proposed?

0 Kudos
RKinsp
Contributor
‎2021-06-18 01:33 PM
In response to PhoneBoy

Hi PhoneBoy,

The peer is a Cisco router and it is using a single configuration for two of our gateways, and it has two networks configured for their phase two remote (10.164.128.0  and 10.164.0.0). Their local network is 172.16.0.0.

We have two gateways, one is configured for local 10.164.128.0 and the other for 10.164.0.0. We are using separate VPN Communities. The issue is that both our gateways accept both incoming phase 2, although it is not specified in it's security domain.

I am worried this will affect the remote end's routing and wanted to deny the non-specified phase 2.

0 Kudos
Vladimir
Champion
Champion
‎2021-06-18 08:44 PM
In response to RKinsp

Maybe I am missing something, but in each community you are configuring member gateways, one of yours and one of theirs (where theirs is the same in both communities).

If you are on R80.40, you should be able to define VPN domain per VPN community on your side (in gateway's networking properties).

You then should be sending only relevant network to the peer for each connection.

0 Kudos
RKinsp
Contributor
‎2021-06-19 04:39 AM
In response to Vladimir

Hi Vladimir,

That is correct for outgoing connections. The security gateway only sends the domains we have. The issue is from what I have seem, incoming phase 2 is always accepted regardless of network, although encryption has to match.

This would not be a problem if the other side was using separate definitions on their router.

0 Kudos
Vladimir
Champion
Champion
‎2021-06-19 07:10 AM
In response to RKinsp

Have you try defining two Interoperable devices with the same IP for your peer and specifying a single network in the topology of each?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-19 08:40 AM
In response to Vladimir

I don’t think you can actually do that and have it work.
I think a TAC case may be in order here.

0 Kudos
the_rock
Legend
Legend
‎2021-06-20 11:51 AM

Personally, I never heard of any vendor be able to do so.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events