Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
carl_t
Contributor

Where does Checkpoint pull the VPN Subnets from for the tunnels ? Strange issues

Hi Guys

We have created a VPN tunnel between a R81.10 gateway and a Cisco ASA, the setting is one vpn tunnel per subnet pair.

The subnet on the ASA side is  172.16.0.0/12 to the Checkpoint which is 172.28.25.0/24

However when we look at the ASA and do a vpn tu tlist on the Checkpoint we see lots of random tunnels to different subnets within this 172.16.0.0/12 network, for example we see a tunnel formed to 172.24.0.0/14 and 172.16.0.0/13.

Where are these funny subnets being pulled from as none of these are set on the config, why are these showing?

Many thanks

0 Kudos
7 Replies
the_rock
Legend
Legend

Hey @carl_t 

Have a look at recent post and what I gave to fix it. Hates me to type it all now, so just open the link and its all there.

If you have any questions, let me know, we can discuss further.

Cheers mate.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Site-to-site-Disconnects-amp-Questions/m-p/175...

0 Kudos
carl_t
Contributor

Hi Andy

Thanks for your response, firstly we are not getting any drops just loads of random SA's

Where is it getting these funny supernets from? for example what makes the checkpoint pick 172.24.0.0/14 even though is is not configured in any vpn settings? or any objects configured on the gateway. 

0 Kudos
the_rock
Legend
Legend

Its from those guidbedit settings I mentioned in the post. So, to make long story short, this had been the problem with Check Point, for I dont know, last 20 years : - )

So, here is really basic example...lets pretend you want CP to advertise /29 to Cisco and thats what Cisco is expecting...fantastic. Now, you do your enc domains, verify everything, install policy and realize its failing on phase 2.

Why you may wonder? Its because Cisco is EXPECTING /29, but CP will always try send largest possible subnet, which would be at least /24 or larger.

So, not shockingly enough, Im fairly positive unless you change those values I mentioned to false, you will 100% continue to see this behavior.

As a matter of fact, this was one of the questions on R81 CCSE exam last year, EXACTLY that : - )

 

0 Kudos
carl_t
Contributor

Hi Andy

Its the other way around we are having issues, the ASA is sending 172.16.0.0/12 as its source, but the CP is picking networks within this range and building tunnels back to the ASA on all different subnets, the source subnet FROM the Checkpoint is fine, the issue is destinations from the CP towards the ASA. The ASA sees the correct source from the ASA.

0 Kudos
the_rock
Legend
Legend

Fair enough. You got simple diagram you can send with this info and how traffic is supposed to flow? Even basic paint drawing would do, Im not picky, as long as I can visualize this : - )

PLEASE blur out any sensitive info.

Tx mate.

Andy

0 Kudos
Danny
Champion Champion
Champion

What's this tool showing as encryption domains?

0 Kudos
the_rock
Legend
Legend

Another GREAT tool from you @Danny ...keep them coming mate, you are the BEST!! 🙌🙌🙌

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events