Amit Singh

Site to Site VPN - Checkpoint R80.10 to Cisco ASA - Troubleshooting

Discussion created by Amit Singh on Aug 24, 2018
Latest reply on Aug 29, 2018 by Amit Singh

R80.10 Checkpoint to Cisco ASA - Site to site VPN:-

 

Existing services working fine in same VPN tunnel.

This is Bi-directional access over VPN.

Remote A - Checkpoint R80.10 (10.154.2.7)

Remote B - Cisco ASA (10.112.124.0/13

 

While adding a new service in the same VPN from source 10.154.2.7 to destination 10.112.124.0/13, it is causing SA mismatch at both firewalls. The ACLs are matching at both ends

 

Note:- Remote B is able to connect Remote A destination over same VPN and it is working fine.

           But Remote A is not able to connect Remote B destination.

 

Encryption Domain Group on Checkpoint R80.10

 

10.154.2.7

10.154.0.0/16

 

Site A firewall logs ( Checkpoint Firewall)

 

 

 

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59] vpn_ipsec_spi_notify:: instance: 4, spi 0, 127.0.0.1, peer X.X.X.X, proto 50, my range 10.154.0.0-10.155.255.255, peer range 10.112.124.0-10.112.125.255, user md 0000000000000000, methods 215 2, packetID 811c1ba, proto 0 ports 0 0

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59] 0 62c1a8c0 <10.154.2.7 port 57717,   10.112.124.13 port 48000,  6>

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59] kmsg_read_local: 1 kmsgs handled

 

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59] GetEntryIsakmpObjectsHash: received ipaddr: X.X.X.X as key, found fwobj: Flood_RE

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for X.X.X.X returned obj: 0x9e116c4

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59] canonize_gw: Canonized ip is the same as original ip X.X.X.X

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59] ModifySPI: entering

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59] GetEntryIsakmpObjectsHash: received ipaddr: X.X.X.X as key, found fwobj: Flood_RE

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59] fwipsechost_from_ipxaddr: calling GetEntryXIsakmpObjectsHash for X.X.X.X returned obj: 0x9e116c4

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59] GetEntryCommunityHashX: received ipaddr: X.X.X.X as key, found community: Flood-RE

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59] FindCommonCommunity: Found common community (IPv4 addr=X.X.X.X) (Flood-RE) for Flood_RE

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59][ikev2] getIKEVersionForCommunity: Community configured to use IKEv1 only.

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59] RequestByMethods_ikev1: enter

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59] RequestByMethods: used 1 my [a9a0000-a9bffff] peer [a707c00-a707dff]

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59] RequestByMethods: user_md 0000000000000000

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59] NegotiationTable::MatchPeerMethodsIDs: 5049f98a 215 02 [a9a0000-a9bffff] [a707c00-a707dff], my instance: 4

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59] NegotiationTable::MatchPeerMethodsIDs: Found match:

[vpnd 19496 4102547344]@fw-01b[24 Aug  9:02:59] neg ptr: e93bc3c0 ass: e6b153e8 wait4: 00

                msgId: 9a48d7b method: 215 02 cookie: 65695aee9771d6ff

                 req type: 1 SPIs: 00

 

Site B firewall logs ( Cisco ASA )

Source/Destination:

object-group network Remote_A

network-object host 10.154.2.7

Source/Destination:

object-group network Remote_B

network-object 10.112.124.0 255.255.254.0

 

debug crypto ipsec logs

 

Aug 22 2018 11:07:44: %ASA-7-714003: IP = xx.xx.xx.x, IKE Responder starting QM: msg id = 1eeb7820

Aug 22 2018 11:07:44: %ASA-7-713236: IP = xx.xx.xx.x, IKE_DECODE RECEIVED Message (msgid=1eeb7820) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 300

Aug 22 2018 11:07:44: %ASA-7-715047: Group = xx.xx.xx.x, IP = xx.xx.xx.x, processing hash payload

Aug 22 2018 11:07:44: %ASA-7-715047: Group = xx.xx.xx.x, IP = xx.xx.xx.x, processing SA payload

Aug 22 2018 11:07:44: %ASA-7-715047: Group = xx.xx.xx.x, IP = xx.xx.xx.x, processing nonce payload

Aug 22 2018 11:07:44: %ASA-7-715047: Group = xx.xx.xx.x, IP = xx.xx.xx.x, processing ke payload

Aug 22 2018 11:07:44: %ASA-7-713906: Group = xx.xx.xx.x, IP = xx.xx.xx.x, processing ISA_KE for PFS in phase 2

Aug 22 2018 11:07:44: %ASA-7-715047: Group = xx.xx.xx.x, IP = xx.xx.xx.x, processing ID payload

Aug 22 2018 11:07:44: %ASA-7-714011: Group = xx.xx.xx.x, IP = xx.xx.xx.x, ID_IPV4_ADDR_SUBNET ID received--10.154.0.0--255.254.0.0

Aug 22 2018 11:07:44: %ASA-7-713035: Group = xx.xx.xx.x, IP = xx.xx.xx.x, Received remote IP Proxy Subnet data in ID Payload:   Address 10.154.0.0, Mask 255.254.0.0, Protocol 0, Port 0

Aug 22 2018 11:07:44: %ASA-7-715047: Group = xx.xx.xx.x, IP = xx.xx.xx.x, processing ID payload

Aug 22 2018 11:07:44: %ASA-7-714011: Group = xx.xx.xx.x, IP = xx.xx.xx.x, ID_IPV4_ADDR_SUBNET ID received--10.112.124.0--255.255.254.0

Aug 22 2018 11:07:44: %ASA-7-713034: Group = xx.xx.xx.x, IP = xx.xx.xx.x, Received local IP Proxy Subnet data in ID Payload:   Address 10.112.124.0, Mask 255.255.254.0, Protocol 0, Port 0

Aug 22 2018 11:07:44: %ASA-7-713906: Group = xx.xx.xx.x, IP = xx.xx.xx.x, QM IsRekeyed old sa not found by addr

Aug 22 2018 11:07:44: %ASA-7-713221: Group = xx.xx.xx.x, IP = xx.xx.xx.x, Static Crypto Map check, checking map = myCryptoMap, seq = 1...

Aug 22 2018 11:07:44: %ASA-7-713222: Group = xx.xx.xx.x, IP = xx.xx.xx.x, Static Crypto Map check, map = myCryptoMap, seq = 1, ACL does not match proxy IDs src:10.154.0.0 dst:10.112.124.0

Aug 22 2018 11:07:44: %ASA-7-713221: Group = xx.xx.xx.x, IP = xx.xx.xx.x, Static Crypto Map check, checking map = myCryptoMap, seq = 2...

Aug 22 2018 11:07:44: %ASA-7-713222: Group = xx.xx.xx.x, IP = xx.xx.xx.x, Static Crypto Map check, map = myCryptoMap, seq = 2, ACL does not match proxy IDs src:10.154.0.0 dst:10.112.124.0

Aug 22 2018 11:07:44: %ASA-3-713061: Group = xx.xx.xx.x, IP = xx.xx.xx.x, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.154.0.0/255.254.0.0/0/0 local proxy 10.112.124.0/255.255.254.0/0/0 on interface outside

Aug 22 2018 11:07:44: %ASA-7-713906: Group = xx.xx.xx.x, IP = xx.xx.xx.x, sending notify message

Aug 22 2018 11:07:44: %ASA-7-713906: Group = xx.xx.xx.x, IP = xx.xx.xx.x, Sending p2 'Invalid ID info' notify message with SPI zero.

Aug 22 2018 11:07:44: %ASA-7-715046: Group = xx.xx.xx.x, IP = xx.xx.xx.x, constructing blank hash payload

Aug 22 2018 11:07:44: %ASA-7-713906: Group = xx.xx.xx.x, IP = xx.xx.xx.x, constructing ipsec notify payload for msg id 1eeb7820

Aug 22 2018 11:07:44: %ASA-7-715046: Group = xx.xx.xx.x, IP = xx.xx.xx.x, constructing qm hash payload

Aug 22 2018 11:07:44: %ASA-7-713236: IP = xx.xx.xx.x, IKE_DECODE SENDING Message (msgid=b0018c3) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 356

Aug 22 2018 11:07:44: %ASA-3-713902: Group = xx.xx.xx.x, IP = xx.xx.xx.x, QM FSM error (P2 struct &0x00007ff9f1f8d590, mess id 0x1eeb7820)!

Aug 22 2018 11:07:44: %ASA-7-715065: Group = xx.xx.xx.x, IP = xx.xx.xx.x, IKE QM Responder FSM error history (struct &0x00007ff9f1f8d590)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH

 

My concern is why Remote B IP able to connect Remote A IP and not vice versa. It also seems checkpoint doing supernatting.

Outcomes