Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SkipperNavy
Contributor

VPN with 3rdparty

Hello community,

i have an issue on my configuration of vpn ipsec with 3rd party ( juniper), let me explain:

i created a vpn betwenn my cluster ( R80.40) and a remote Juniper Gateway.

traffic from juniper side to network behind my cluster CP is ok.

traffic from my to network to remote network is KO.

the configuration of my VPN domain:   local 10.167.52.0/24 and remote 10.167.200.0/24

the same proxy id are configured on the juniper side.

tunnel management: one vpn tunnel per subnet pair

when investigating i find that ikep2 is ko ( CP to juniper)

on the juniper; IPSec negotiation failed with error: Peer proposed traffic-selectors are not in configured range

on the cp: Child SA exchange: Received notification from peer: Traffic selectors unacceptable MyTSi: <10.167.0.0 - 10.167.255.255> MyTSr: <10.167.200.0 - 10.167.200.255>

This is due to supernetting, i assume. i made change as described on other discussion:

Guidbedit values to change to FALSE:

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

 

 

but my cp gateway still send /16 instead of /24

 

can someone help on this?

0 Kudos
26 Replies
the_rock
Legend
Legend

Did you install policy after making those guidbedit changes?

Andy

0 Kudos
SkipperNavy
Contributor

Yes, i saved, the installed the policy.

i also tried to force the /24 via user.def.fw1 but still ko.

so i roll back the user.def.fw1

0 Kudos
the_rock
Legend
Legend

Is there any natting inside the community?

0 Kudos
SkipperNavy
Contributor

Nat-t is enabled. This is necessary on juniper side.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

How are you clearing your VPN between attempts/changes?

Which Jumbo take is present on these systems?

Note R80.40 will be EOL next month.

CCSM R77/R80/ELITE
0 Kudos
the_rock
Legend
Legend

Makes sense, I heard that about Juniper before. Hey, is this enabled or not on CP side inside vpn community settings?

Andy

 

Screenshot_1.png

0 Kudos
SkipperNavy
Contributor

image.jpg

0 Kudos
the_rock
Legend
Legend

I would do quick debug on CP side to see what it shows. Get iked and vpnd files from $FWDIR/log dir and run vpn iked calculate peer_ip_address to see which iked files are relevant

vpn debug trunc

vpn debug ikeon

-try generate some traffic

vpndebug ikeoff

Best,

Andy

0 Kudos
SkipperNavy
Contributor

Please what do you mean by run vpn iked calculate? 

0 Kudos
the_rock
Legend
Legend

What I mean is this.

Andy

 

[Expert@cpazurecluster1:0]# vpn iked calculate 20.151.89.116

vpn: Address 20.151.89.116 is handled by IKED 0

[Expert@cpazurecluster1:0]#

 

And what above means is that when you run debug, you ONLY care about iked0 files.

0 Kudos
SkipperNavy
Contributor

I tried  running the command in expert mode but it return:

Unknown command « iked »

 

 

0 Kudos
the_rock
Legend
Legend

Just type vpn from expert mode and see if iked shows up in the menu, as below

[Expert@cpazurecluster1:0]# vpn
Usage:
vpn debug ... # print debug msgs to VPN log files
vpn iked # various 'iked' related commands
vpn cccd # various 'cccd' related commands
vpn crl_zap # erase all CRLs from cache
vpn drv ... # attach vpn driver to fw driver and more
vpn ver [-k] # display VPN version
vpn crlview ... # debugging tool for CRLs
vpn compstat # display compression/decompression statistics
vpn compreset # reset compression/decompression statistics
vpn macutil [user_name] # display generated MAC address by username or
# DN from arg or stdin (also: vpn mu)
vpn tunnelutil # launch TunnelUtil tool to control
# VPN Tunnels (also: vpn tu)
vpn nssm_topology ... # generate topology in NSSM format for
# Nokia clients
vpn rll dump fileName/sync # Route Lookup Layer: Dump DB
# Sync DB
vpn overlap_encdom ... # Display overlapping encryption domains
vpn dll dump fileName # DNS Lookup Layer: Dump DB
vpn dll resolve [hostname] # Request Resolve
vpn 3rd_party_mep #
vpn ipafile_check filename [level] # Verify candidate for ipassignment.conf
vpn set_slim_server ... # Starting/stopping the slim web server
vpn set_snx_encdom_groups ... # enabling/disabling the encryption domain
# per usergroup feature for snx
vpn mep_refresh # Initiate MEP re-decision in case of
# backup stickiness configuration
vpn rim_cleanup # Clean RIM routes
vpn shell ... # Command Line Interface
vpn set_trac disable/enable # Starting/Stopping trac server
vpn neo_proto [on/off] # switching neo client protocol
vpn show_tcpt # show visitor mode users
vpn check_ttm # Check if a ttm file is valid
vpn dump_psk # dump hash (SHA256) of peers pre-shared-keys
vpn snx_unban # Reset the failed login attempt history of a client IP address
[Expert@cpazurecluster1:0]#

0 Kudos
SkipperNavy
Contributor

image.jpg

There is no iked option with vpn colmand

 

thank you 

0 Kudos
the_rock
Legend
Legend

Ok, no worries. Lets do remote if you are allowed, I think we can figure this out.

If yes, just DM me and I can send you zoom.

Andy

0 Kudos
SkipperNavy
Contributor

Thank you the-rock but i can use remote, company restriction.

if i disable nat on cp, is it necessary to do the same on juniper?

0 Kudos
the_rock
Legend
Legend

Correct.

0 Kudos
Timothy_Hall
Champion Champion
Champion

Traffic selectors proposed to a Juniper must match precisely, it will not accept a subset.  However the Check Point will accept a subset if the Juniper proposes it, which is why the Juniper can bring the tunnel up, but if the Check Point is the initiator it cannot.

Make sure "disable NAT in VPN Community" is set as the_rock mentioned.

The GUIdbedit largest_possible_subnet and user.def hacks are no longer needed as you can now set precise VPN domains per VPN Community.  I'm pretty sure this capability was added in R80.40 which is the release you are using.  On the VPN Community screen shown below, override the VPN Domain "IP addresses based on object topology" setting for both community members like this:

vpn_domain_override.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
SkipperNavy
Contributor

Hello, i made all this change but my cp gateway still send /16 as MyTSI

can someone explain me to understand how the gateway obtain /16?  

thank you in advance

0 Kudos
the_rock
Legend
Legend

Can you please send screenshots of changes you made in guidbedit, as well as community settings? Please blue out any sensitive info. Also, do the debug I mentioned last nite.

vpn debug trunc

vpn debug ikeon

-try generate some traffic

vpn debug ikeoff

Look for iked and vpnd files in $FWDIR/log dir

Best,

Andy

 

 

 

 

0 Kudos
SkipperNavy
Contributor

image.jpg

When run the command for debug i have this message. I have other vpn and are working fine with the same configuration, no supernetting.

i can t figure out why the gateway still send /16.

0 Kudos
the_rock
Legend
Legend

I would work with TAC on this, something does not look right. Remote session would be way to go.

0 Kudos
SkipperNavy
Contributor

We will open a tac.

thank you

0 Kudos
CaseyB
Collaborator

Yes, Juniper is very picky. My notes from troubleshooting this back in December:

 

"This issue happens on IKEv2 and IKEv1.

The network team in charge of the Juniper did provide me with this error:

  • Dec  4 15:16:24  localpeer-eec-vsrx kmd[26736]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: remote, Peer Proposed traffic-selector local-ip: ipv4(icmp,2.4.2.2),ipv4(2.4.2.2),  Peer Proposed traffic-selector remote-ip: ipv4(icmp,5.4.2.1),ipv4(5.4.2.1)

The above is the error message and for the traffic selector to work, the message should have looked something like this:

  • Dec  4 15:16:24  localpeer-eec-vsrx kmd[26736]: KMD_VPN_TS_MISMATCH: Traffic-selector mismatch, vpn name: remote, Peer Proposed traffic-selector local-ip: ipv4(icmp,2.4.2.2),  Peer Proposed traffic-selector remote-ip: ipv4(icmp,5.4.2.1)

Essentially when Check Point sends over a single host it does it in a range type format that the Juniper does not like and rejects it."

 

 

I did get bi-directional communication working using the user defined encryption setting with one VPN tunnel per Gateway pair tunnel sharing option. I hope this helps.

the_rock
Legend
Legend

Thats certainly something to try.

0 Kudos
SkipperNavy
Contributor

hello all,

today i changed the vpn community from star to mesh, and i put a /16 on proxy id on juniper the tunnel worked and i can get traffic to the gateway juniper, but after an other policy install on cp, traffic is ko.

i begin have message like:

exchange timeout, preshared secret failed,.. when traffic from juniper to cp is ok

0 Kudos
the_rock
Legend
Legend

Are you sauing traffic now works one way? Did you try option tunnel per gateway?

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events