9 Replies Latest reply: Feb 21, 2018 12:51 AM by arteq RSS

    site2site vpn between ios - checkpoint

    sparky

      I am having issues configuring a site-2-site VPN between a cisco IOS router and a checkpoint NRX firewall,

      Now i have checked and double checked the IKE proposals and lifetime values, key etc  (although i believe these are option, i like to make sure everything matches ecspecially when going from ove vendor to another)

       

      Now this is the debug on our cisco device:

       

       

      #ping x.x.x.x sou fa0/0

       

       

      Type escape sequence to abort.

      Sending 5, 100-byte ICMP Echos to 10.224.128.20, timeout is 2 seconds:

      Packet sent with a source address of 136.140.191.222

       

       

      Jan 20 12:22:14: IPSEC(sa_request): ,

        (key eng. msg.) OUTBOUND local= 86.12.151.7, remote= 193.182.2.1,

          local_proxy= 136.x.191.x/255.255.255.224/0/0 (type=4),

          remote_proxy= 10.x.128.x/255.255.255.128/0/0 (type=4),

          protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),

          lifedur= 3600s and 4608000kb,

          spi= 0x784DD929(2018367785), conn_id= 0, keysize= 256, flags= 0x400A

      Jan 20 12:22:14: ISAKMP: received ke message (1/1)

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)

      Jan 20 12:22:14: ISAKMP: Created a peer struct for 193.182.x.x, peer port 500

      Jan 20 12:22:14: ISAKMP: New peer created peer = 0x63A48C84 peer_handle = 0x80000006

      Jan 20 12:22:14: ISAKMP: Locking peer struct 0x63A48C84, IKE refcount 1 for isakmp_initiator

      Jan 20 12:22:14: ISAKMP: local port 500, remote port 500

      Jan 20 12:22:14: ISAKMP: set new node 0 to QM_IDLE     

      Jan 20 12:22:14: insert sa successfully sa = 63A493F4

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 193.182.2.1

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

       

       

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): sending packet to 193.182.x.x my_port 500 peer_port 500 (I) MM_NO_STATE

      Jan 20 12:22:14: ISAKMP (0:0): received packet from 193.182.x.x dport 500 sport 500 Global (I) MM_NO_STATE

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Couldn't find node: message_id 1487415557

      Jan 20 12:22:14: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM1

       

       

      Jan 20 12:22:14: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 193.182.x.x    ..

       

       

      I have read alot of articles online that say the supernetting is handled different betwen checkpoint and cisco, but i dont think i am even getting that far in the process ...

       

       

      The error shown on the checkpoint side shows "IKE: Main Mode Failed to match proposal: Transform: AES-256, SHA1, Group 2 (1024 bit) Reason: Wrong value for: Authentication Method"

      Any ideas welcome

         
        • 1. Re: site2site vpn between ios - checkpoint
          Michal

          Hi sparky,

          did you solve your problem? I am facing the same problem and I am not aware of which parameters of the two IPSec phases are wrong.

          I set up authentication method to pre-shared in the isakmp policy:

          isakmp policy 1

          authentication pre-share

           

          Were something wrong on the other side at Check Point Firewall? I would be glad if you provide a help.

          Michal

          • 2. Re: site2site vpn between ios - checkpoint
            tnewshott

            Michal, welcome to the CLN!!

             

            You may want to start a new thread of your own, to ensure people do not get confused with the first post. and post up some snapshots of debugging, etc as you saw above. Posting sanitized copies of the related configuration may also help.

            • 3. Re: site2site vpn between ios - checkpoint
              sparky

              In the end Michal, it came down to the config was good, but for whatever reason version R70 of checkpoint would not form a VPN with the cisco vpnrouter,

               

              However the same config worked fine going to another cisco router or older checkpoint (r65), googling around it is not that too uncommon to run into this issue with mixed vendors.

               

              I know we had a similar issues with a cisco ios to pfsense box .... we could get AES working, but 3DES was fine

              • 4. Re: site2site vpn between ios - checkpoint
                Michal

                Thank you sparky for the info.

                I gave up struggling and used cisco devices on both sides.

                • 5. Re: site2site vpn between ios - checkpoint
                  n3tw0rkguy

                  Hi guys, I haven't tried checkpoint but have tried with Fortigate before. In fortigate, there was an option to select either Main Mode or Aggressive mode. I wonder if we have an option also in IOS or ASA to select which mode to use. Also, there was an option for dead peer detection with fortigate. So any mismatch on this might also cause issues in bringing up the tunnel.

                   

                  Do you also have that 2 options on checkpoint?

                  • 6. Re: site2site vpn between ios - checkpoint
                    sparky

                    sure do and tried them all mate

                    • 7. Re: site2site vpn between ios - checkpoint
                      gnijs

                      Just FYI

                       

                      I just got the same error while trying to connect to a checkpoint firewall:

                       

                      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Couldn't find node: message_id 1487415557

                       

                      In my case, the error went away when we changed the key size of AES:

                       

                      crypto policy 10

                      enc aes

                       

                      When changed to:

                       

                      crypto policy 10

                      enc aes 256

                       

                      the "node" error went away. The Checkpoint was expecting 256 bit AES and Cisco was trying 128 bit by default.

                      Just my two cents.

                      • 8. Re: site2site vpn between ios - checkpoint
                        arteq

                        good to know... thanks for the resolution..

                         

                        this may be it

                         

                         

                        IPsec Transport and Tunnel Modes

                        By default, the ASA uses IPsec tunnel mode—the entire original IP datagram is encrypted, and it becomes the payload in a new IP packet. This mode allows a network device, such as a router, to act as an IPsec proxy. That is, the router performs encryption on behalf of the hosts. The source router encrypts packets and forwards them along the IPsec tunnel. The destination router decrypts the original IP datagram and forwards it on to the destination system. The major advantage of tunnel mode is that the end systems do not need to be modified to receive the benefits of IPsec. Tunnel mode also protects against traffic analysis; with tunnel mode, an attacker can only determine the tunnel endpoints and not the true source and destination of the tunneled packets, even if they are the same as the tunnel endpoints.

                        • 9. Re: site2site vpn between ios - checkpoint
                          arteq

                          and behind door number two:

                           

                          However, the Windows L2TP/IPsec client uses IPsec transport mode—only the IP payload is encrypted, and the original IP headers are left intact. This mode has the advantages of adding only a few bytes to each packet and allowing devices on the public network to see the final source and destination of the packet. Figure 62-1 illustrates the differences between IPsec Tunnel and Transport modes.

                          In order for Windows L2TP/IPsec clients to connect to the ASA, you must configure IPsec transport mode for a transform set using the crypto ipsec transform-set trans_name mode transport command. This command is the configuration procedure that follows, .

                          With this transport capability, you can enable special processing (for example, QoS) on the intermediate network based on the information in the IP header. However, the Layer 4 header is encrypted, which limits the examination of the packet. Unfortunately, if the IP header is transmitted in clear text, transport mode allows an attacker to perform some traffic analysis.