Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 26 replies
  • Subscribers 3 subscribers
  • Views 27451 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 => Checkpoint IPSec S2S VPN

thentom
Hi,
I established an IPSec Site2Site VPN between our UTM and a Checkpoint Firewall. 
Both sides are using networks (not hosts) to be encrypted.
local: 10.33.86.0/24  remote: 172.20.250.0/24
The tunnel works, I can reach IPs in remote network 172.20.250.0/24
but the remote network can't reach IP's in my local network 10.33.86.0/24

This is the corresponding error message:

2013:01:03-18:14:38 fw-1 pluto[24905]: "S2S_1" #12: cannot respond to IPsec SA request because no connection is known for 10.33.86.5/32===***.***.x.2[***.***.***.2]...***.***.***.4[***.***.***.4]===172.20.250.10/32
2013:01:03-18:14:38 fw-1 pluto[24905]: "SS2S_1" #12: sending encrypted notification INVALID_ID_INFORMATION to ***.***.***.4:500

To work around this issue I added the host 10.33.86.5/32 to our local networks and 172.20.250.10/32 to the remote networks. As result, all IPs in 10.33.86.0/24 were reachable from remote side.
We compared everything 10 times. Tunnels between 2 Astaro UTMs are working as expected.
Does anybody have an idea about this?
Cheers
Thomas


This thread was automatically locked due to age.
Parents
  • 0
    In researching IKEv2, which is unsupported in ASG/UTM, I came upon this thread.

    User coewar has suggested: Upgrade to modern version of StrongSWAN which uses charon instead of pluto

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi everyone,

     

    I´m new on this community so excuse me if I post something wrongly.

     

    I´m finding the same issue discussed on this thread of several years ago and I´m really interested on finding a solution.

     

    The remote device is a Checkpoint and the problem is that remote hosts can´t reach local hosts, like for someone at the begining of this thread. Let me show some screenshots:

     

    And from the remote side:

     

    About the INVALID_MESSAGE_ID, this is an example of several days ago:

    2019:08:06-09:54:54 asg220 pluto[16211]: "S_VPN_xxx_yyy" #97425: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x61462fd7 (perhaps this is a duplicated packet)

    2019:08:06-09:54:54 asg220 pluto[16211]: "S_VPN_xxx_yyy" #97425: sending encrypted notification INVALID_MESSAGE_ID to 217.x.y.65:500

     

    Many thanks in advance and best regards,

    Antonio

  • 0 in reply to Antonio

    Hola Antonio and welcome to the UTM Community!

    Your IKE Phase 1 timeout is different than the selection on the Checkpoint, 21600 vs. 360.

    You presently have both DPD and NAT-T disabled.  It's rare that you don't want NAT-T enabled.  Try with both enabled.  These selections in the UTM should match those in the Checkpoint.

    Just looking at two lines from the IPsec log is too few.  Since all 120 IPsec SAs are established, I'm confused about what problem you're seeing.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to Antonio

    Hola Antonio and welcome to the UTM Community!

    Your IKE Phase 1 timeout is different than the selection on the Checkpoint, 21600 vs. 360.

    You presently have both DPD and NAT-T disabled.  It's rare that you don't want NAT-T enabled.  Try with both enabled.  These selections in the UTM should match those in the Checkpoint.

    Just looking at two lines from the IPsec log is too few.  Since all 120 IPsec SAs are established, I'm confused about what problem you're seeing.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson
    Hi Bob,
     
    First of all, thanks a lot for your quick response, really appreciated.
     
    Checkpoint uses minutes in the lifetime field of IKE (360) and seconds in the IPSEC (21600). So, it should be matching with our policy.
     
    I have just enabled both NAT-T and DPD, but unfortunately the problem persists.
     
    What I´m seeing too in our logs today (not sure if after enabling NAT-T and DPD or not) is this kind of messages:
     
    2019:08:22-08:42:24 asg220 pluto[29256]: "S_VPN_xxx_yyy" #514: cannot respond to IPsec SA request because no connection is known for 10.60.160.0/24===62.x.y.212[62.x.y.212]...217.x.y.65[217.x.y.65]===10.105.14.0/24
     
    Actually, the network defined in our encryption domain is 10.105.14.0/23, and the customer confirms it´s defined with /23 too at his side. So I don´t know why we are getting /24...
     
     
     
    I´m getting this kind of messages with different networks but all definitions matches with the customer ones, like the one above.
     
    Thanks again and Best regards,
    Antonio
  • 0 in reply to Antonio

    Hi again Bob,

     

    In addition, the customer is seeing the next message at his Checkpoint:

     

     

    I guess all happen for the same reason, differences in SAs of encryption domain. But the question is, why?

     

    Thanks a lot,

    Antonio

  • 0 in reply to Antonio

    There's no way for an IPsec SA to be active (checkmark in green dot), Antonio, unless the associated IKE was successful.  Other than these lines in the log, what problem are you having?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,
     
    The problem is that remote hosts, behind Checkpoint device, can´t reach hosts of our local network, behind Sophos UTM. So, it´s the same behaviour described at the beginning of this thread by Thomas:
     
    I established an IPSec Site2Site VPN between our UTM and a Checkpoint Firewall. 
    Both sides are using networks (not hosts) to be encrypted.
    local: 10.33.86.0/24  remote: 172.20.250.0/24
    The tunnel works, I can reach IPs in remote network 172.20.250.0/24
    but the remote network can't reach IP's in my local network 10.33.86.0/24
    This is the corresponding error message:
    2013:01:03-18:14:38 fw-1 pluto[24905]: "S2S_1" #12: cannot respond to IPsec SA request because no connection is known for 10.33.86.5/32===***.***.x.2[***.***.***.2]...***.***.***.4[***.***.***.4]===172.20.250.10/32
    2013:01:03-18:14:38 fw-1 pluto[24905]: "SS2S_1" #12: sending encrypted notification INVALID_ID_INFORMATION to ***.***.***.4:500
    To work around this issue I added the host 10.33.86.5/32 to our local networks and 172.20.250.10/32 to the remote networks. As result, all IPs in 10.33.86.0/24 were reachable from remote side.
    We compared everything 10 times. Tunnels between 2 Astaro UTMs are working as expected.
    Does anybody have an idea about this?
    Cheers
    Thomas
     
    Thanks,
    Antonio
Unfiltered HTML