Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 26 replies
  • Subscribers 3 subscribers
  • Views 26705 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9 => Checkpoint IPSec S2S VPN

thentom
Hi,
I established an IPSec Site2Site VPN between our UTM and a Checkpoint Firewall. 
Both sides are using networks (not hosts) to be encrypted.
local: 10.33.86.0/24  remote: 172.20.250.0/24
The tunnel works, I can reach IPs in remote network 172.20.250.0/24
but the remote network can't reach IP's in my local network 10.33.86.0/24

This is the corresponding error message:

2013:01:03-18:14:38 fw-1 pluto[24905]: "S2S_1" #12: cannot respond to IPsec SA request because no connection is known for 10.33.86.5/32===***.***.x.2[***.***.***.2]...***.***.***.4[***.***.***.4]===172.20.250.10/32
2013:01:03-18:14:38 fw-1 pluto[24905]: "SS2S_1" #12: sending encrypted notification INVALID_ID_INFORMATION to ***.***.***.4:500

To work around this issue I added the host 10.33.86.5/32 to our local networks and 172.20.250.10/32 to the remote networks. As result, all IPs in 10.33.86.0/24 were reachable from remote side.
We compared everything 10 times. Tunnels between 2 Astaro UTMs are working as expected.
Does anybody have an idea about this?
Cheers
Thomas


This thread was automatically locked due to age.
  • 0 in reply to BAlfson
    Hi Bob,
     
    First of all, thanks a lot for your quick response, really appreciated.
     
    Checkpoint uses minutes in the lifetime field of IKE (360) and seconds in the IPSEC (21600). So, it should be matching with our policy.
     
    I have just enabled both NAT-T and DPD, but unfortunately the problem persists.
     
    What I´m seeing too in our logs today (not sure if after enabling NAT-T and DPD or not) is this kind of messages:
     
    2019:08:22-08:42:24 asg220 pluto[29256]: "S_VPN_xxx_yyy" #514: cannot respond to IPsec SA request because no connection is known for 10.60.160.0/24===62.x.y.212[62.x.y.212]...217.x.y.65[217.x.y.65]===10.105.14.0/24
     
    Actually, the network defined in our encryption domain is 10.105.14.0/23, and the customer confirms it´s defined with /23 too at his side. So I don´t know why we are getting /24...
     
     
     
    I´m getting this kind of messages with different networks but all definitions matches with the customer ones, like the one above.
     
    Thanks again and Best regards,
    Antonio
  • 0 in reply to Antonio

    Hi again Bob,

     

    In addition, the customer is seeing the next message at his Checkpoint:

     

     

    I guess all happen for the same reason, differences in SAs of encryption domain. But the question is, why?

     

    Thanks a lot,

    Antonio

  • 0 in reply to Antonio

    There's no way for an IPsec SA to be active (checkmark in green dot), Antonio, unless the associated IKE was successful.  Other than these lines in the log, what problem are you having?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Hi Bob,
     
    The problem is that remote hosts, behind Checkpoint device, can´t reach hosts of our local network, behind Sophos UTM. So, it´s the same behaviour described at the beginning of this thread by Thomas:
     
    I established an IPSec Site2Site VPN between our UTM and a Checkpoint Firewall. 
    Both sides are using networks (not hosts) to be encrypted.
    local: 10.33.86.0/24  remote: 172.20.250.0/24
    The tunnel works, I can reach IPs in remote network 172.20.250.0/24
    but the remote network can't reach IP's in my local network 10.33.86.0/24
    This is the corresponding error message:
    2013:01:03-18:14:38 fw-1 pluto[24905]: "S2S_1" #12: cannot respond to IPsec SA request because no connection is known for 10.33.86.5/32===***.***.x.2[***.***.***.2]...***.***.***.4[***.***.***.4]===172.20.250.10/32
    2013:01:03-18:14:38 fw-1 pluto[24905]: "SS2S_1" #12: sending encrypted notification INVALID_ID_INFORMATION to ***.***.***.4:500
    To work around this issue I added the host 10.33.86.5/32 to our local networks and 172.20.250.10/32 to the remote networks. As result, all IPs in 10.33.86.0/24 were reachable from remote side.
    We compared everything 10 times. Tunnels between 2 Astaro UTMs are working as expected.
    Does anybody have an idea about this?
    Cheers
    Thomas
     
    Thanks,
    Antonio
  • 0

    I had in the past similar problems with customers using Checkpoint.

    There were 2 isse causes:

    Checkpoint per deafult tries superneting (10.0.0.0/8-effect). There is an option to switch this off

    One customer had selected transport- and not tunnel mode (/32-effect)

     

    Sorry, I have no ceckpoint to give more information, I only had some experience with cutomers.

  • 0 in reply to papa_

    Thanks so much for your feedback, papa_

     

    I´ll ask to the customer on working on that way.

     

    Thanks again and best regards,

    Antonio

Unfiltered HTML