This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
stelsyas
Explorer
‎2024-04-25 01:50 AM

Traffic selector 0.0.0.0/0 in IPSec with CISCO ASA

Good morning everyone,

 

I am setting up IPsec over the Public Internet with many partners around the world. One of my partners uses a Cisco ASA, and there was a problem with that. CheckPoint send traffic selector 0.0.0.0. Cisco rejects the request and IPsec does not up. Has anyone encountered such a problem?

 

I use CheckPoint 1800 on cluster. 

 

Thanks!

Labels
0 Kudos
12 Replies
PhoneBoy
Admin
Admin
‎2024-04-25 07:11 AM

Sounds like both ends disagree on what the encryption domain is and/or you've configured your end to establish a single tunnel for all traffic (0.0.0.0) and the other end isn't configured to accept this.

0 Kudos
stelsyas
Explorer
‎2024-04-25 07:20 AM
In response to PhoneBoy

Hi PhoneBoy! 

I need configure connection between local network 185.xx.xx.xx/29 (my CP) and 91.xx.xx.xx/30 (Cisco). 

I added network 185.xx.xx.xx/29 to VPN->Site to Site -> Advanced -> Local ecryption domain is defined manualy... 

But CheckPoint on Phase 2 sending traffic selector 0.0.0.0/0. Another firewall (PfSense, Strongswan, Huawei) normal to accept it. The problem is only with Cisco ASA.

0 Kudos
_Val_
Admin
Admin
‎2024-04-25 07:27 AM
In response to stelsyas

Can you show how you configured your VPN domain on CP side? The issue is, CP only sends 0.0.0.0/0 if the VPN domain is empty.

0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2024-04-25 07:34 AM
In response to _Val_

And i thought, it's defined in the tunnel management.

cp-tunnel-management.png

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
stelsyas
Explorer
‎2024-04-25 07:40 AM
In response to _Val_

Config on screens:

2.png

1.png

  

0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2024-04-25 07:28 AM
In response to stelsyas

In case you configured the domain to select it's proxy id per pair of gateways, it surely sends 0.0.0.0/0 what is expected behavior.
On the ASA side there should be something like this:

crypto map outside_map 10 match address VPN-Traffic
crypto map outside_map 10 set peer <Peer_IP_Address>

! Define the ACL for interesting traffic
access-list VPN-Traffic extended permit ip any4 any4

 

This is how i configured that long time ago

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
stelsyas
Explorer
‎2024-04-25 07:43 AM
In response to Vincent_Bacher

IPSec is up if configure the following on the Cisco:
>>access-list VPN-Traffic extended permit ip any4 any4

But in this case, all traffic will be sent via IPSec. 

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-04-25 08:02 AM

Just configure it as permanent tunnel using VTIs and set option @Vincent_Bacher advised in the community. I had done this many times and works without any issues. If you need help, just ping me.

Andy

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-04-25 02:37 PM

Just to clarify the "one tunnel per gateway pair" is sometimes called "double quad zeroes" or a "universal tunnel" by some vendors if it helps locate their proper documentation for this setup.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
MVP Platinum
MVP Platinum
‎2024-04-25 02:44 PM
In response to Timothy_Hall

Super valid point...I know Fortinet calls it that all the time, not sure about Cisco, but its probably the same thing.

Andy

Best,
Andy
0 Kudos
Vincent_Bacher
Advisor
Advisor
‎2024-04-25 10:01 PM
In response to the_rock

Interesting. I configured masses of VPN tunnels at FortiGate devices and never heard that wording 😄

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-04-26 04:26 AM
In response to Vincent_Bacher

Now you have 😉

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events