I've attached a little text document I wrote up on the whole VPN Domain
Summarization mess. It was written for R55. I think it's all correct, but
I'd be happy to hear about any mistakes.
Jim
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[EMAIL PROTECTED] On Behalf
> Of Sagiv Filler
> Sent: Monday, August 01, 2005 3:07 AM
> To: [email protected]
> Subject: Re: [FW-1] Checkpoint R55 and Cisco PIX Site to Site VPN
>
> Sometimes just changing the ike_largest_possible_subnet
> parameter in the
> $FWDIR/conf/objects_5_0.C file will not be enough and you will need to
> edit a file name $FWDIR/lib/user.def
>
> Sagiv
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[EMAIL PROTECTED] On Behalf Of
> cisco4ng
> Sent: Sunday, July 31, 2005 3:44 PM
> To: [email protected]
> Subject: Re: [FW-1] Checkpoint R55 and Cisco PIX Site to Site VPN
>
>
> Well, you need to read the document more closely...
>
> For that situation, you need to do the following:
>
> on checkpoint side:
>
> 1) modify the ike_largest_possible_subnet parameter via dbedit or
> gui-dbedit from true to "false",
> 2) put in the appropriate rule to allow vpn traffics.
>
> On the Pix side:
>
> 1) create two access-lists, one ACL will be applied to your
> NAT 0. The
> other ACL will
> be applied to the crypto map.
>
> 2) In the ACL that will be used for the crypto map, you just allow
> access from a specific
> host behind the pix to access the entire CP encryption domain or
> whatever you choose.
>
> By making the ike_largest_possible_subnet, you will have the
> workaround
> for checkpoint
> supper-netting. I run into this problem all the times with
> VPNs between
> CP and Cisco devices
> (Cisco IOS, VPN concentrator, Cisco pix, etc...)
>
> HTH
>
>
> Sagiv Filler <[EMAIL PROTECTED]> wrote:
> Well......
>
> This document is o.k. in case you need to be able to encrypt to the
> entire encryption domain in both sides. However sometimes this is not
> the case. Sometimes you need to be able to open an encrypted
> connection
> only to one or lets say 5 machine (on the checkpoint side) from that
> specific PIX while allowing a different CP to get access to the entire
> encryption domain. In this case you will encounter problems because of
> checkpoint's super netting
>
> Sagiv
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:[EMAIL PROTECTED] On Behalf
> Of no-need
> to-list
> Sent: Thursday, July 28, 2005 8:25 PM
> To: [email protected]
> Subject: Re: [FW-1] Checkpoint R55 and Cisco PIX Site to Site VPN
>
>
> This document from the Cisco site will help you.......
>
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_confi
> guration_e
> xample09186a00800ef796.shtml
>
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_confi
> guration_e
> xample09186a00800b4b40.shtml
>
>
>
>
>
>
>
>
>
>
> Sathya Prakash J wrote:
> Hi
>
> Can anyone share a document on configuring site to site VPN between
> CISCO PIX and Checkpoint R55 ?
>
> Regarsd
> Sathya Prakash
>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
>
> ---------------------------------
> Start your day with Yahoo! - make it your home page
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
> **************************************************************
> **********
> **************************
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
> **************************************************************
> ************************************
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
[README!!!]
These instructions were written for NGAI R55. In NGX R60 some of the settings
have changed. The concepts all remain the same, but you make the changes on
different screens. Basically this means that in NGX for the "The easy host
based fix" I describe later on in this doc you need to change a different
setting. In the interoperable device and/or in the VPN community properties go
to "Tunnel Managment" and select "One VPN tunnel per each pair of hosts". This
does the same thing as unchecking "Support key exchange for subnets" back in
the good ol' R55 days. The other, more complicated, solutions I describe below
have also probably changed, but I haven't had time to research this yet.
[What is the VPN domain summarization problem?]
When you create a VPN by default Check Point will summarize any contiguous
subnets and create a tunnel for just one supernet. This presents a problem if
you're creating a VPN to a non-Check Point VPN device, since it may not be
using the same netmask for the VPN domain (because most non-Check Point devices
do not supernet the VPN domain).
If you don't have any contiguous subnets Check Point will create one tunnel for
the entire network. This can also present a problem if the remote device has
your the network defined with a different net mask. For example if the remote
end only needs to connect to devices in our 172.16.1.x range they may define
our internal network as 172.16.1.0/24 (i.e. a 255.255.255.0 mask). On our end,
however, our internal network is defined as 172.16.0.0/16 (a 255.255.0.0 mask).
This will cause problems since each device (the remote firewall and our
firewall) has our internal network (i.e. VPN domain) defined differently.
Note that this problem can occur with the local VPN domain and/or the remote
VPN domain definitions. Both VPN end points (firewalls) must define both their
local and remote VPN domains the same way. If VPN domains network mask are not
set exactly the same either the tunnel won't come up at all, or it will only
work in one direction.
[What is the "Support key exchange for subnets" setting?]
In your interoperable device under "VPN->VPN Advanced" there is a setting for
"Support key exchange for subnets". Per sk14378 with this setting enabled the
firewall will supernet any contiguous subnets in your VPN domain and create one
VPN tunnel for the entire supernet. If your VPN domain doesn't contain any
contiguous subnets no supernetting will be done, it will just create one tunnel
for your network.
If this setting is unchecked the Check Point firewall will no longer create
network based VPN tunnels with this VPN peer. Instead it will create a new VPN
tunnel for each host that communicates over this VPN. This isn't as efficient
as using network based VPN tunnels, but sometimes it's required for
interopability with non-Check Point VPN devices.
[What is the "ike_use_largest_possible_subnets" setting?]
"ike_use_largest_possible_subnets" only applies to a connection if "Support key
exchange for subnets" is enabled (in the interoperable device). By default
"ike_use_largest_possible_subnets" is enabled. When this is enabled contiguous
subnets in a VPN domain get supernetted as described in my first section, "What
is the VPN domain summarization problem?".
In the section at the end of this file titled 'The harder "manual domain
summary specification" fix' it describes how to disable
"ike_use_largest_possible_subnets" (i.e. set it to false).
I've pasted the text from sk17544 below. It describes how the network mask is
determined when "ike_use_largest_possible_subnets" is set to false.
*********************
Configure the "max_subnet_for_range" table in $FWDIR/lib/user.def on the
management (SmartCenter).
Table name and format:
max_subnet_for_range = {
<first_IP_in_range, last_IP_in_the_range; subnet_mask>,
<first_IP_in_range, last_IP_in_the_range; subnet_mask>,
...
<first_IP_in_range, last_IP_in_the_range; subnet_mask>
};
The network and subnet for IKE negotiation will be determined according to the
table above. Host's IP will be matched on a relevant entry in this table,
entry's subnet will be used for negotiation. For ranges not specified in the
table, the subnet mask will be determined as if
ike_use_largest_possible_subnets were set to "true", wherever is relevant.
*********************
The host they refer to above is a host in the remote device's VPN domain.
[The easy host based fix]
The easiest solution that usually works is to change to a host based VPN domain
definition. This is done by editing the Interoperable Device used by this VPN,
going to "VPN->VPN Advanced", and then unchecking (disabling) "Support key
exchange for subnets".
Once you push policy this VPN should now used host based VPN tunnels. Just to
make sure the new settings take affect delete the VPN tunnel(s) with this peer.
See the "Delete the VPN tunnel(s) for one peer" section in "Misc HowTo.txt"
for information on how to do this.
To verify that you're using host based VPN domains in SmartView Tracker (under
the "VPN-1" query) you can search in the information field for text like this:
"IKE: Quick Mode completion IKE IDs: host: 172.16.10.56 and host: 156.30.21.201"
Notice that the IKE IDs are for hosts. If you're not using host based VPN
domains you'll see text like this instead:
"IKE: Quick Mode completion IKE IDs: subnet: 172.16.0.0 (mask= 255.255.0.0) and
subnet: 192.168.171.0 (mask= 255.255.255.192)"
In the example above you can tell it's not using host based domains since it
has the word "subnet" and displays network masks (255.255.0.0 &
255.255.255.192).
Note that host based VPN tunnels will only work if the other side is also set
up for host based VPNs. Although it varies by vendor, this is usually
accomplished by having them define our VPN domain as individual hosts instead
of an entire network.
[The harder "manual domain summary specification" fix]
-Note that we haven't had to implement this yet (as of 15JUN2004). Please try
to avoid using this solution.
Problem:
FireWall module sends out supernetted subnet information for networks in VPN
domain during Phase 2 of IKE negotiation (Example, firewall module sends out
172.16.0.0/15 rather than 172.16.0.0/16 as subnet when a host in the
172.16.0.0/16 subnet initiates VPN traffic).
Remote peer of site to site VPN is not configured to receive supernetted subnet
mask of network that is initiating VPN traffic.
Cause:
max_subnet_for_range has not been configured in $FWDIR\lib\user.def file.
Solution:
In order to prevent FireWall-1 module from sending out supernetted subnet mask
of network in VPN domain manually define those networks.
Procedure:
On Management Server:
1) Close all GUI clients
2) Issue the following set of commands (the FireWall-1 Administrator name is
"fwadmin" and the FireWall-1 Administrator password is "abc123" in the example
that follows):
------------------------------
# dbedit
Enter Server name (ENTER for 'localhost'):
Enter User Name: fwadmin
Enter User Password: abc123
Please enter a command, -h for help or -q to quit:
dbedit> modify properties firewall_properties ike_use_largest_possible_subnets
false
dbedit> update properties firewall_properties
firewall_properties updated successfully.
dbedit> quit
#
------------------------------
3) Backup $FWDIR/lib/user.def file
4) Verify that the $FWDIR/lib/user.def file contains the following lines:
------------------------------
#ifndef __user_def__
#define __user_def__
//
// User defined INSPECT code
//
#endif /* __user_def__ */
------------------------------
5) Edit $FWDIR/lib/user.def file
Example 1
------------------------------
#ifndef __user_def__
#define __user_def__
//
// User defined INSPECT code
//
max_subnet_for_range = {
<0.0.0.0, 194.29.39.255; 255.255.255.0>,
<194.29.40.0, 194.29.50.255; 255.255.255.255>,
<194.29.51.0, 255.255.255.255; 255.255.0.0>
};
#endif /* __user_def__ */
------------------------------
In Example 1, the configuration would work in the following way:
- For the host IP 194.29.23.1 the network IP would be 194.29.23.0/24
- For the host IP 194.29.46.45 the network IP would be 194.29.46.45/32 (just
one IP)
- For the host IP 194.29.102.1 the network IP would be 194.29.0.0/16
Example 2
------------------------------
#ifndef __user_def__
#define __user_def__
//
// User defined INSPECT code
//
max_subnet_for_range = {
<172.16.0.0, 172.28.255.255; 255.255.0.0>
};
#endif /* __user_def__ */
------------------------------
In Example 2, the configuration would work in the following way:
- For the host IP 172.16.1.1 the network IP would be 172.16.0.0/16
The general syntax for editing the $FWDIR/lib/conf files is as follows:
------------------------------
#ifndef __user_def__
#define __user_def__
//
// User defined INSPECT code
//
max_subnet_for_range = {
<first_IP_in_range, last_IP_in_the_range; subnet_mask>,
<first_IP_in_range, last_IP_in_the_range; subnet_mask>,
...
<first_IP_in_range, last_IP_in_the_range; subnet_mask>
};
#endif /* __user_def__ */
------------------------------
6) Save $FWDIR/lib/user.def file
7) Install policy on firewall module
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
