Resolution 17399: "No Valid SA" when creating IPSEC tunnel with an
interoperable device
|---------------------------------------------------------------------------------------------------------------------------------->
|
|
|---------------------------------------------------------------------------------------------------------------------------------->
>--------------------------------+-----------------------------------------------|
| |
|
>--------------------------------+-----------------------------------------------|
|---------------------------------------------------------------------------------------------------------------------------------->
|
|
|---------------------------------------------------------------------------------------------------------------------------------->
>--------------------------------+-----------------------------------------------|
| |
|
>--------------------------------+-----------------------------------------------|
|---------------------------------------------------------------------------------------------------------------------------------->
|Subject:
|
|---------------------------------------------------------------------------------------------------------------------------------->
>--------------------------------+-----------------------------------------------|
| |"No Valid SA" when creating IPSEC tunnel
with |
| |an interoperable device
|
>--------------------------------+-----------------------------------------------|
|---------------------------------------------------------------------------------------------------------------------------------->
|Product Line:
|
|---------------------------------------------------------------------------------------------------------------------------------->
>--------------------------------+-----------------------------------------------|
| |Firewalls
|
>--------------------------------+-----------------------------------------------|
|---------------------------------------------------------------------------------------------------------------------------------->
|Category:
|
|---------------------------------------------------------------------------------------------------------------------------------->
>--------------------------------+-----------------------------------------------|
| |VPN-1/Firewall-1
|
>--------------------------------+-----------------------------------------------|
|---------------------------------------------------------------------------------------------------------------------------------->
|Version:
|
|---------------------------------------------------------------------------------------------------------------------------------->
>--------------------------------+-----------------------------------------------|
| |NG FP3 And Later
|
>--------------------------------+-----------------------------------------------|
|---------------------------------------------------------------------------------------------------------------------------------->
|Date Modified:
|
|---------------------------------------------------------------------------------------------------------------------------------->
>--------------------------------+-----------------------------------------------|
| |06/28/2004
|
>--------------------------------+-----------------------------------------------|
|---------------------------------------------------------------------------------------------------------------------------------->
|
|
|---------------------------------------------------------------------------------------------------------------------------------->
>--------------------------------+-----------------------------------------------|
| |
|
>--------------------------------+-----------------------------------------------|
|---------------------------------------------------------------------------------------------------------------------------------->
|Description:
|
|---------------------------------------------------------------------------------------------------------------------------------->
>--------------------------------+-----------------------------------------------|
| |Creating VPN tunnels in VPN-1/FireWall-1 NG
FP3|
| |or AI with other interoperable devices such
as |
| |Netscreen, Cisco IOS, Cisco PIX, or
SonicWall |
| |fails with the "No Valid SA" messages in
|
| |SmartView Tracker. VPN sessions work one
way |
| |when traffic is initiated from
interoperable |
| |device but fails when traffic is initiated
from|
| |NG side.
|
| |
|
| |When viewing the ike.elg debug file it
shows |
| |that Phase I completes successfully,
however |
| |phase II only sends the first packet. The
third|
| |party device responds with an invalid id
error |
| |message and resets the negotiation. You can
|
| |further observe that the sender id is using
a |
| |/31 subnet id even though it should be
|
| |negotiating with a /32 host id. It appears
that|
| |the Check Point NG box is supernetting the
|
| |subnet mask when it should not causes the
|
| |invalid SA (security association) to occur.
|
| |
|
| |Setting ike_use_largest_possible_subnets to
|
| |false in $FWDIR/conf/objects_5_0.C is
ignored. |
>--------------------------------+-----------------------------------------------|
|---------------------------------------------------------------------------------------------------------------------------------->
|
|
|---------------------------------------------------------------------------------------------------------------------------------->
>--------------------------------+-----------------------------------------------|
| |
|
>--------------------------------+-----------------------------------------------|
|---------------------------------------------------------------------------------------------------------------------------------->
|Solution:
|
|---------------------------------------------------------------------------------------------------------------------------------->
>--------------------------------+-----------------------------------------------|
| |The nature of this problem is due to the
|
| |ability of VPN-1/FireWall-1 NG to
dynamically |
| |supernet subnets to reduce the amount of SA
|
| |overhead normally generated by vpn traffic.
|
| |Most third party vendors are inherently
static |
| |and therefore do not have the ability to
|
| |understand this dynamic behaviour.
|
| |
|
| |There are currently three possible
solutions to|
| |this problem.
|
| |
|
| |Solution A-Check Point's official solution
|
| |
|
| |1. Upgrade to NG FP3 HF2 or higher.
|
| |
|
| |2. Edit objects_5_0.C and change the
variable |
| |ike_use_largest_possible_subnets to false.
|
| |
|
| |See Resolution 8418:
|
| |How do I edit or modify objects file on the
|
| |Management Server in FireWall-1 NG
(dbedit)? |
| |
|
| |3. Configure the "max_subnet_for_range"
table |
| |in $FWDIR/lib/user.def on the management
|
| |console (SmartCenter). This table is
designed |
| |to force VPN-1/FireWall-1 to negotiate
IPSEC |
| |SAs using a specific subnet mask for a
given IP|
| |address range.
|
| |
|
| |Table name and format:
|
| |
|
| |max_subnet_for_range = {
|
| |<first_IP_in_range, last_IP_in_the_range;
|
| |subnet_mask>, <first_IP_in_range,
|
| |last_IP_in_the_range; subnet_mask>,
|
| |<first_IP_in_range, last_IP_in_the_range;
|
| |subnet_mask>};
|
| |
|
| |
|
| |For example, if we insert the table in the
|
| |$FWDIR/lib/user.def in example 1:
|
| |
|
| |#ifndef __user_def__
|
| |#define __user_def__
|
| |//
|
| |// User defined INSPECT code
|
| |//
|
| |
|
| |max_subnet_for_range = {
|
| |<0.0.0.0, 10.29.39.255; 255.255.255.0>,
|
| |<10.29.40.0, 10.29.50.255;
255.255.255.255>, |
| |<10.29.51.0, 255.255.255.255; 255.255.0.0>
|
| |};
|
| |
|
| |#endif /* __user_def__ */
|
| |
|
| |
|
| |
|
| |The network and subnet for IKE negotiation
will|
| |be determined according to the table above.
|
| |When the remote VPN gateway requests an
IPSEC |
| |SA for a given IP address, VPN-1/FireWall-1
|
| |will compare that IP address against the
|
| |max_subnet_for_range table and use the
netmask |
| |specified in the table when negotiating the
SA.|
| |You will configure this table based on how
the |
| |remote VPN endpoint is configured to
negotiate |
| |SAs.
|
| |
|
| |For ranges not specified in the table, the
|
| |subnet mask will be determined as if
|
| |ike_use_largest_possible_subnets variable
were |
| |set to "true", wherever is relevant.
|
| |
|
| |In Example 1, the configuration would work
in |
| |the following way:
|
| |- For the host IP 10.29.23.1 the network IP
|
| |used in the IPSEC SA would be 10.29.23.0/24
|
| |- For the host IP 10.29.46.45 the network
IP |
| |used in the IPSEC SA would be 10.29.46.45
(just|
| |one IP, i.e. a HOST SA)
|
| |- For the host IP 10.29.102.1 the network
IP |
| |used in the IPSEC SA would be 10.29.0.0/16
|
| |
|
| |Example 2
|
| |
|
| |------------------------------
|
| |#ifndef __user_def__
|
| |#define __user_def__
|
| |
|
| |//
|
| |// User defined INSPECT code
|
| |//
|
| |
|
| |max_subnet_for_range = {
|
| |<172.16.0.0, 172.28.255.255; 255.255.0.0>
|
| |};
|
| |
|
| |#endif /* __user_def__ */
|
| |
|
| |
|
|
|-----------------------------------------------|
| |-------------
|
| |In Example 2, the configuration would work
in |
| |the following way:
|
| |- For the host IP 172.16.1.1 the network IP
|
| |would be 172.16.0.0/16
|
|
|-----------------------------------------------|
| |----
|
| |
|
| |4. Save the edited $FWDIR/lib/user.def
file. |
| |
|
| |5. Open the SmartDashboard and reinstall
the |
| |security policy on the firewall module
|
| |
|
| |Notes: Please avoid defining overlapping
ranges|
| |in the table.
|
| |
|
| |Solution B
|
| |
|
| |Turn off "support for key exchange for
subnets"|
| |on both gateways in question. This will
force |
| |negotiation with host id's and will
|
| |substantualy increase phase II SA's,
however |
| |this will also resolve the issue.
|
| |
|
| |Solution C
|
| |
|
| |Change the encryption domain of the
|
| |VPN-1/FireWall-1 NG enforcement module to
use a|
| |specific subnet instead of using hosts or
|
| |groups. This will stop VPN-1/FireWall-1 NG
from|
| |supernetting hosts since they now are part
of a|
| |subnet which has been manually defined.
|
| |
|
| |Optional Solution D: Use if VPN is
established |
| |but intermittent VPN drops are still
occuring |
| |between CheckPoint NG and an interoperable
|
| |device:
|
| |
|
| |Intermittent drops are occuring between
|
| |Checkpoint NG FP3 or later and an
interoperable|
| |device. SmartView Tracker shows the "No
Valid |
| |SA" messages and after some time, VPN
|
| |connectivity restores without user
|
| |intervention. Also, VPN can also be restore
by |
| |repushing policys to the NG box, rebooting
NG, |
| |or flushing IPSEC SAs on NG box by using
the |
| |vpn tunnelutil command.
|
| |
|
| |An IPSEC SA negogiation can sometimes
failed |
| |when lifetime of the old SA. expires.
|
| |Persistent IPSEC tunnels can be set up on
the |
| |NG side to prevent the from occuring. The
|
| |tunnel (if configures for persistence) will
|
| |place a timer that will go off some time
before|
| |the actual SA will expire, allowing the
|
| |gateways to renegotiate a new SA during the
|
| |lifetime of the old SA. This will keep an
SA |
| |and the VPN tunnel alive always.
|
| |
|
| |This solves the problem of expiring SAs. To
|
| |configure a Persistent IPSec Tunnel, the
user |
| |must define the IP range that is to be
|
| |persistent. If a user has two gateways that
|
| |needs persistent tunnel, for example,
between |
| |IP host address of 10.20.30.23 and
192.168.1.5,|
| |then the user must define a network range
that |
| |contains at least one of the above IP
|
| |addresses.
|
| |
|
| |For example, the range: <10.20.30.23,
|
| |10.20.30.23>. The range is actually one IP.
The|
| |range can be configured to be from one to
the |
| |maximum number of IPs.
|
| |
|
| |The IP ranges are configured in a table
called |
| |persistent_mspi_ranges, which is a static
table|
| |that is defined in the $FWDIR/lib/user.def
file|
| |on the management station.
|
| |
|
| |persistent_mspi_ranges = { , , ... };
|
| |
|
| |Example:
|
| |
|
| |persistent_mspi_ranges = { <10.20.30.0,
|
| |10.20.30.50>,<172.16.0.0, 172.16.0.255> };
|
| |
|
| |
|
| |Install the policy to the gateway modules.
|
>--------------------------------+-----------------------------------------------|
[EMAIL PROTECTED]
PORE.COM
Sent by: Mailing To
list for [EMAIL PROTECTED]
discussion of INT.COM
Firewall-1 cc
<FW-1-MAILINGLIST
@AMADEUS.US.CHECK Subject
POINT.COM> Re: [FW-1] NG FP3 / NS25 VPN issue
14/01/2005 14.53
Please respond to
Mailing list for
discussion of
Firewall-1
<FW-1-MAILINGLIST
@AMADEUS.US.CHECK
POINT.COM>
In NG, modify the Netscreen firewall object to disable "Support key
exchange for subnets". If you have an account on the Nokia web site, look
at resolution ID 17399.
Keith
Marius Banica <[EMAIL PROTECTED]>
Sent by: Mailing list for discussion of Firewall-1
<[email protected]>
01/14/2005 06:14 AM
Please respond to
Mailing list for discussion of Firewall-1
<[email protected]>
To
[email protected]
cc
Subject
Re: [FW-1] NG FP3 / NS25 VPN issue
Hi,
The message usually appears when there really is a mismatch in the SA,
U need to double check the definitions both sides (NS and checkpoint
side)
Encryption scheme, network topology, nat etc... etc...
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Robert
Geller
Sent: Friday, January 14, 2005 4:08 AM
To: [email protected]
Subject: [FW-1] NG FP3 / NS25 VPN issue
Group:
Im setting up a VPN with a checkpoint VRRP cluster running NG FP3 and
a netscreen 25 running 5.0.0r8.0 in NAT / ROUTED mode.
In a nutshell, I am able to get to the checkpoint internal side
throught the VPN, however they are not able to get to the netscreen
side.
Im getting these messages in the event log (on the NS25):
Rejected an IKE packet on ethernet1 from AA.AA.AA.AA:500 to
BB.BB.BB.BB :500 with cookies XYZ and XYZ because the peer sent a
proxy ID that did not match the one in the SA config.
IKE<AA.AA.AA.AA> Phase 2 msg ID <XYZ>: Negotiations have failed.
I have experience with checkpoint, and I know NG fp3 has a lot of
issues, however Im not admin'ing these units. The admin is saying
they are not having any other issues.
Any ideas?
-Rob
--
This message has been scanned for viruses and
dangerous content, and is believed to be clean.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.6.11 - Release Date: 12/01/2005
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
Ai sensi del Decreto Legislativo n. 196/2003, si precisa che le
informazioni contenute
in questo messaggio e negli eventuali allegati sono riservate e per uso
esclusivo del
destinatario. Persone diverse dallo stesso non possono copiare o
distribuire il messaggio
a terzi. Chiunque riceva questo messaggio per errore, � pregato di
distruggerlo e di informare immediatamente [EMAIL PROTECTED]
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
