Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
stelsyas
Explorer

Traffic selector 0.0.0.0/0 in IPSec with CISCO ASA

Good morning everyone,

 

I am setting up IPsec over the Public Internet with many partners around the world. One of my partners uses a Cisco ASA, and there was a problem with that. CheckPoint send traffic selector 0.0.0.0. Cisco rejects the request and IPsec does not up. Has anyone encountered such a problem?

 

I use CheckPoint 1800 on cluster. 

 

Thanks!

0 Kudos
12 Replies
PhoneBoy
Admin
Admin

Sounds like both ends disagree on what the encryption domain is and/or you've configured your end to establish a single tunnel for all traffic (0.0.0.0) and the other end isn't configured to accept this.

0 Kudos
stelsyas
Explorer

Hi PhoneBoy! 

I need configure connection between local network 185.xx.xx.xx/29 (my CP) and 91.xx.xx.xx/30 (Cisco). 

I added network 185.xx.xx.xx/29 to VPN->Site to Site -> Advanced -> Local ecryption domain is defined manualy... 

But CheckPoint on Phase 2 sending traffic selector 0.0.0.0/0. Another firewall (PfSense, Strongswan, Huawei) normal to accept it. The problem is only with Cisco ASA.

0 Kudos
_Val_
Admin
Admin

Can you show how you configured your VPN domain on CP side? The issue is, CP only sends 0.0.0.0/0 if the VPN domain is empty.

0 Kudos
Vincent_Bacher
Advisor
Advisor

And i thought, it's defined in the tunnel management.

cp-tunnel-management.png

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
stelsyas
Explorer

Config on screens:

2.png

1.png

  

0 Kudos
Vincent_Bacher
Advisor
Advisor

In case you configured the domain to select it's proxy id per pair of gateways, it surely sends 0.0.0.0/0 what is expected behavior.
On the ASA side there should be something like this:

crypto map outside_map 10 match address VPN-Traffic
crypto map outside_map 10 set peer <Peer_IP_Address>

! Define the ACL for interesting traffic
access-list VPN-Traffic extended permit ip any4 any4

 

This is how i configured that long time ago

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
stelsyas
Explorer

IPSec is up if configure the following on the Cisco:
>>access-list VPN-Traffic extended permit ip any4 any4

But in this case, all traffic will be sent via IPSec. 

0 Kudos
the_rock
Legend
Legend

Just configure it as permanent tunnel using VTIs and set option @Vincent_Bacher advised in the community. I had done this many times and works without any issues. If you need help, just ping me.

Andy

0 Kudos
Timothy_Hall
Legend Legend
Legend

Just to clarify the "one tunnel per gateway pair" is sometimes called "double quad zeroes" or a "universal tunnel" by some vendors if it helps locate their proper documentation for this setup.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
the_rock
Legend
Legend

Super valid point...I know Fortinet calls it that all the time, not sure about Cisco, but its probably the same thing.

Andy

0 Kudos
Vincent_Bacher
Advisor
Advisor

Interesting. I configured masses of VPN tunnels at FortiGate devices and never heard that wording 😄

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
the_rock
Legend
Legend

Now you have 😉

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events