Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Stefano_Chiesa
Explorer

VPN with Cisco FTD-local subnet natted, key exchange with original IPs

Hello all.

On a 2200 R75.40 cluster is configured a L2L VPN with a remote Cisco FTD.
in the VPN configuration the real local subnet (10.39.126.x/23) is not specified  but instead a NAT subnet is used (192.168.123.x/27).
On the remote side 4 hosts (/32) are defined as remote networks (10.130.200.234/.235/.236/.241).

The local subnet is manually Hide-Natted behind a single IP NAT-Subnet address (192.168.123.1).
The tunnel is up but sometimes when the key exchange happens the original 10.39.126.x IP is used in the packet instead of 192.168.123.1 nat IP (see below the log records).

The key with the wrong IP is installed (why?) but then the traffic fails.

Seem a matter of activity sequence (accept rule, nat, negotiate, encrypt..).

Does anyone have a suggestion?

Thanks in advance.
Stefano

----------------------------- CORRECT KEY INSTALL

Number: 11768148
Date: 11Dec2019
Time: 9:12:30
Interface: daemon
Origin: FW
Type: Log
Action: Key Install
==>Source: VPN-NAT-IP (192.168.123.1) <<==== CORRECT
Destination: 10.130.200.235
Community: xxxxxxxxxxxxx
Information: IKE: Child SA exchange: Created a child SA successfully
IKE IDs: <192.168.123.0 - 192.168.123.31><10.130.200.235>
Source Key ID: 0x92dddf54
Destination Key ID: 0x9ab9283b
Encryption Scheme: IKEv2
Data Encryption Methods: AES_256 + HMAC_SHA256, No IPComp, No ESN, No PFS
IKE Initiator Cookie: dbd002e39d8ab5aa
IKE Responder Cookie: eb019a4c3f09bd88
IKE Phase2 Message ID: 0000000d
VPN Peer Gateway: REMOTE-Peer (X.X.X.X)
Subproduct: VPN
VPN Feature: IKE
Product: Security Gateway/Management
Product Family: Network

----------------------------- WRONG KEY INSTALL

Number: 11750404
Date: 11Dec2019
Time: 9:11:52
Interface: daemon
Origin: FW
Type: Log
Action: Key Install
==>Source: 10.39.126.44 <<======= WRONG!
Destination: 10.130.200.234
Community: xxxxxxxxxxxxx
Information: IKE: Child SA exchange: Created a child SA successfully
IKE IDs: <10.130.200.234>
Source Key ID: 0x1f571570
Destination Key ID: 0xcb0be6fa
Encryption Scheme: IKEv2
Data Encryption Methods: AES_256 + HMAC_SHA256, No IPComp, No ESN, No PFS
IKE Initiator Cookie: dbd002e39d8ab5aa
IKE Responder Cookie: eb019a4c3f09bd88
IKE Phase2 Message ID: 0000000c
VPN Peer Gateway: REMOTE-Peer (X.X.X.X)
Subproduct: VPN
VPN Feature: IKE
Product: Security Gateway/Management
Product Family: Network

 

----------------------------- FAILING HTTPS ACCESS

Number: 11781102
Date: 11Dec2019
Time: 9:12:52
Interface: Mgmt
Origin: FW
Type: Log
Action: Drop
Service: https (443)
Source Port: 58984
Source: 10.39.126.44
Destination: 10.130.200.234
Protocol: tcp
Rule: 43
Rule UID: {4904EE49-19C1-4074-8561-DF7437BF5FBF}
NAT rule number: 3
NAT additional rule number: 1
XlateSrc: VPN-NAT-IP (192.168.123.1)
XlateSPort: 14356
Community: XXXXXXXXXXXXXX
Information: service_id: https
encryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information
Encryption Scheme: IKE
Data Encryption Methods: ESP: AES-256 + SHA256
VPN Peer Gateway: REMOTE-Peer (X.X.X.X)
Subproduct: VPN
VPN Feature: VPN
Product: Security Gateway/Management
Log ID: 404830
Product Family: Network


------------------------------ WORKING HTTPS ACCESS

Number: 11768149
Date: 11Dec2019
Time: 9:12:30
Interface: Mgmt
Origin: FW
Type: Log
Action: Encrypt
Source: 10.39.126.44
Destination: 10.130.200.235
Protocol: icmp
Rule: 43
Rule UID: {4904EE49-19C1-4074-8561-DF7437BF5FBF}
NAT rule number: 3
NAT additional rule number: 1
XlateSrc: VPN-NAT-IP (192.168.123.1)
Community: XXXXXXXXXXXXXX
Information: service_id: icmp-proto
ICMP: Echo Request
ICMP Type: 8
ICMP Code: 0
Encryption Scheme: IKE
Data Encryption Methods: ESP: AES-256 + SHA256
VPN Peer Gateway: REMOTE-Peer (X.X.X.X)
Subproduct: VPN
VPN Feature: VPN
Product: Security Gateway/Management
Product Family: Network

0 Kudos
2 Replies
G_W_Albrecht
Legend Legend
Legend

R75.40 has been out of support since April 2016 - so all i can suggest is look around in the forum, e.g.  Site-To-Site VPN with Multiple Subnets, Link to sk62803 https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... and Site to Site with 3rd party

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Stefano_Chiesa
Explorer

Thanks G_W for your answer. I know it's a really old system but I have to deal with it...
I'll review the articles.
Thanks again.
Stefano.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events