- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: VPN with 3rdparty
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN with 3rdparty
Hello community,
i have an issue on my configuration of vpn ipsec with 3rd party ( juniper), let me explain:
i created a vpn betwenn my cluster ( R80.40) and a remote Juniper Gateway.
traffic from juniper side to network behind my cluster CP is ok.
traffic from my to network to remote network is KO.
the configuration of my VPN domain: local 10.167.52.0/24 and remote 10.167.200.0/24
the same proxy id are configured on the juniper side.
tunnel management: one vpn tunnel per subnet pair
when investigating i find that ikep2 is ko ( CP to juniper)
on the juniper; IPSec negotiation failed with error: Peer proposed traffic-selectors are not in configured range
on the cp: Child SA exchange: Received notification from peer: Traffic selectors unacceptable MyTSi: <10.167.0.0 - 10.167.255.255> MyTSr: <10.167.200.0 - 10.167.200.255>
This is due to supernetting, i assume. i made change as described on other discussion:
Guidbedit values to change to FALSE:
ike_enable_supernet
ike_p2_enable_supernet_from_R80.20
ike_use_largest_possible_subnets
but my cp gateway still send /16 instead of /24
can someone help on this?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you install policy after making those guidbedit changes?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, i saved, the installed the policy.
i also tried to force the /24 via user.def.fw1 but still ko.
so i roll back the user.def.fw1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any natting inside the community?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nat-t is enabled. This is necessary on juniper side.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How are you clearing your VPN between attempts/changes?
Which Jumbo take is present on these systems?
Note R80.40 will be EOL next month.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Makes sense, I heard that about Juniper before. Hey, is this enabled or not on CP side inside vpn community settings?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would do quick debug on CP side to see what it shows. Get iked and vpnd files from $FWDIR/log dir and run vpn iked calculate peer_ip_address to see which iked files are relevant
vpn debug trunc
vpn debug ikeon
-try generate some traffic
vpndebug ikeoff
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please what do you mean by run vpn iked calculate?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What I mean is this.
Andy
[Expert@cpazurecluster1:0]# vpn iked calculate 20.151.89.116
vpn: Address 20.151.89.116 is handled by IKED 0
[Expert@cpazurecluster1:0]#
And what above means is that when you run debug, you ONLY care about iked0 files.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried running the command in expert mode but it return:
Unknown command « iked »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just type vpn from expert mode and see if iked shows up in the menu, as below
[Expert@cpazurecluster1:0]# vpn
Usage:
vpn debug ... # print debug msgs to VPN log files
vpn iked # various 'iked' related commands
vpn cccd # various 'cccd' related commands
vpn crl_zap # erase all CRLs from cache
vpn drv ... # attach vpn driver to fw driver and more
vpn ver [-k] # display VPN version
vpn crlview ... # debugging tool for CRLs
vpn compstat # display compression/decompression statistics
vpn compreset # reset compression/decompression statistics
vpn macutil [user_name] # display generated MAC address by username or
# DN from arg or stdin (also: vpn mu)
vpn tunnelutil # launch TunnelUtil tool to control
# VPN Tunnels (also: vpn tu)
vpn nssm_topology ... # generate topology in NSSM format for
# Nokia clients
vpn rll dump fileName/sync # Route Lookup Layer: Dump DB
# Sync DB
vpn overlap_encdom ... # Display overlapping encryption domains
vpn dll dump fileName # DNS Lookup Layer: Dump DB
vpn dll resolve [hostname] # Request Resolve
vpn 3rd_party_mep #
vpn ipafile_check filename [level] # Verify candidate for ipassignment.conf
vpn set_slim_server ... # Starting/stopping the slim web server
vpn set_snx_encdom_groups ... # enabling/disabling the encryption domain
# per usergroup feature for snx
vpn mep_refresh # Initiate MEP re-decision in case of
# backup stickiness configuration
vpn rim_cleanup # Clean RIM routes
vpn shell ... # Command Line Interface
vpn set_trac disable/enable # Starting/Stopping trac server
vpn neo_proto [on/off] # switching neo client protocol
vpn show_tcpt # show visitor mode users
vpn check_ttm # Check if a ttm file is valid
vpn dump_psk # dump hash (SHA256) of peers pre-shared-keys
vpn snx_unban # Reset the failed login attempt history of a client IP address
[Expert@cpazurecluster1:0]#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no iked option with vpn colmand
thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, no worries. Lets do remote if you are allowed, I think we can figure this out.
If yes, just DM me and I can send you zoom.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you the-rock but i can use remote, company restriction.
if i disable nat on cp, is it necessary to do the same on juniper?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Attention, quoting from Important security update - stay protected against VPN Information Disclosure (CVE-2024-24919)
In R81.10 we added a feature to improve VPN performance - named CCCD
This feature is disabled by default, and we know about few advanced customers who are using it.
Customers who enable CCCD are still vulnerable to CVE-2024-24919 even after installing the Hotfix!
YOU MUST DISABLE CCCD TO BECOME PROTECTED!
Instructions below and also on SK182336:
Run the command: vpn cccd status
The expected output is: vpn: 'cccd' is disabled
.
If the output differs, stop the CCCD
process by running the vpn cccd disable
command.
More info by the link above.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Traffic selectors proposed to a Juniper must match precisely, it will not accept a subset. However the Check Point will accept a subset if the Juniper proposes it, which is why the Juniper can bring the tunnel up, but if the Check Point is the initiator it cannot.
Make sure "disable NAT in VPN Community" is set as the_rock mentioned.
The GUIdbedit largest_possible_subnet and user.def hacks are no longer needed as you can now set precise VPN domains per VPN Community. I'm pretty sure this capability was added in R80.40 which is the release you are using. On the VPN Community screen shown below, override the VPN Domain "IP addresses based on object topology" setting for both community members like this:
March 27th with sessions for both the EMEA and Americas time zones
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, i made all this change but my cp gateway still send /16 as MyTSI
can someone explain me to understand how the gateway obtain /16?
thank you in advance
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please send screenshots of changes you made in guidbedit, as well as community settings? Please blue out any sensitive info. Also, do the debug I mentioned last nite.
vpn debug trunc
vpn debug ikeon
-try generate some traffic
vpn debug ikeoff
Look for iked and vpnd files in $FWDIR/log dir
Best,
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When run the command for debug i have this message. I have other vpn and are working fine with the same configuration, no supernetting.
i can t figure out why the gateway still send /16.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would work with TAC on this, something does not look right. Remote session would be way to go.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We will open a tac.
thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, Juniper is very picky. My notes from troubleshooting this back in December:
"This issue happens on IKEv2 and IKEv1.
The network team in charge of the Juniper did provide me with this error:
- Dec 4 15:16:24 localpeer-eec-vsrx kmd[26736]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: remote, Peer Proposed traffic-selector local-ip: ipv4(icmp,2.4.2.2),ipv4(2.4.2.2), Peer Proposed traffic-selector remote-ip: ipv4(icmp,5.4.2.1),ipv4(5.4.2.1)
The above is the error message and for the traffic selector to work, the message should have looked something like this:
- Dec 4 15:16:24 localpeer-eec-vsrx kmd[26736]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: remote, Peer Proposed traffic-selector local-ip: ipv4(icmp,2.4.2.2), Peer Proposed traffic-selector remote-ip: ipv4(icmp,5.4.2.1)
Essentially when Check Point sends over a single host it does it in a range type format that the Juniper does not like and rejects it."
I did get bi-directional communication working using the user defined encryption setting with one VPN tunnel per Gateway pair tunnel sharing option. I hope this helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thats certainly something to try.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello all,
today i changed the vpn community from star to mesh, and i put a /16 on proxy id on juniper the tunnel worked and i can get traffic to the gateway juniper, but after an other policy install on cp, traffic is ko.
i begin have message like:
exchange timeout, preshared secret failed,.. when traffic from juniper to cp is ok
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you sauing traffic now works one way? Did you try option tunnel per gateway?
Andy
