I've done this with NGX-splat to a cisco router with no problems. -GS
-----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Reinhard Stich Sent: Thursday, December 29, 2005 4:49 PM To: [email protected] Subject: [FW-1] AW: [FW-1] IKE IDs subnet ist wrong hi, the following resolution works with NG - I've never tested that with NG X: Solution <https://secureknowledge.checkpoint.com/images/secureknowledge/clear.gif> <https://secureknowledge.checkpoint.com/images/secureknowledge/orange_h_line_long.gif> <https://secureknowledge.checkpoint.com/images/secureknowledge/clear.gif> To resolve the supernetting, configure the "max_subnet_for_range" table in $FWDIR/lib/user.def on the Management Server (SmartCenter). Procedure: On SmartCenter/Management Server: 1) Close all SmartDashboard clients, I.E SmartView Tracker, SmartView Status, etc. 2) Set "ike_use_largest_possible_subnets" to "false" by issuing the following set of commands (the FireWall-1 Administrator name is "fwadmin" and the password is "abc123" in the example): ------------------------------------- # dbedit Enter Server name (ENTER for 'localhost'): Enter User Name: fwadmin Enter User Password: abc123 Please enter a command, -h for help or -q to quit: dbedit> modify properties firewall_properties ike_use_largest_possible_subnets false dbedit> update properties firewall_properties firewall_properties updated successfully. dbedit> quit # --------------------------------------- 3) Open $FWDIR/lib/user.def with a text editor 4) Verify $FWDIR/lib/user.def contains the lines: ---------------------------------------- #ifndef __user_def__ #define __user_def__ // /Troubleshooting the supernetting issue Example: 1) Configure VPN domains for local(10.10.0.0) and remote (192.168.x.x) gateways In the VPN domain of local gateway, define a group with consecutive networks such as 192.168.100.0/255.255.255.0, 192.168.101.0/255.255.255.0, 192.168.102.0/255.255.255.0 2) Enable ike.elg debug on local firewall 3) Initiate the tunnel using a machine that is on 192.168.100.0 (remote side) 4) Review the ike.elg Observe the phase 2 keys have the subnet changed from 255.255.255.0 to 255.255.25x.0, so that the phase 2 subnet key is large enough to include the complete number of networks defined. This indicates the user.def edit is required to manually define the networks/hosts participating in encrypted traffic. 5) Modify user.def file to manually define networks to encrypt traffic to/from. ===============================================================================/ User defined INSPECT code // #endif /* __user_def__ */ --------------------------------------- 3) Backup $FWDIR\lib\user.def file 4) Edit $FWDIR\lib\user.def file Example 1 --------------------------------------- #ifndef __user_def__ #define __user_def__ // // User defined INSPECT code // max_subnet_for_range = { <0.0.0.0, 194.29.39.255; 255.255.255.0>, <194.29.40.0, 194.29.50.255; 255.255.255.255>, <194.29.51.0, 255.255.255.255; 255.255.0.0> }; #endif /* __user_def__ */ ------------------------------ In Example 1, the configuration would work in the following way: - For the host IP 194.29.23.1 the network IP would be 194.29.23.0/24 - For the host IP 194.29.46.45 the network IP would be 194.29.46.45 (just one IP) - For the host IP 194.29.102.1 the network IP would be 194.29.0.0/16 Example 2 ------------------------------ #ifndef __user_def__ #define __user_def__ // // User defined INSPECT code // max_subnet_for_range = { <172.16.0.0, 172.28.255.255; 255.255.0.0> }; #endif /* __user_def__ */ ------------------------------ In Example 2, the configuration would work in the following way: - For the host IP 172.16.1.1 the network IP would be 172.16.0.0/16 The general syntax for editing the $FWDIR/lib/conf files is as follows: ------------------------------ #ifndef __user_def__ #define __user_def__ // // User defined INSPECT code // max_subnet_for_range = { <first_IP_in_range, last_IP_in_the_range; subnet_mask>, <first_IP_in_range, last_IP_in_the_range; subnet_mask>, ... <first_IP_in_range, last_IP_in_the_range; subnet_mask> }; #endif /* __user_def__ */ ------------------------------ 5) Save $FWDIR/lib/user.def file 6) Install policy on firewall module to make change effective Results: The network and subnet for IKE negotiation will be determined according to the table above. Host's IP will be matched on a relevant entry in this table, entry's subnet will b.e used for negotiation. For ranges not specified in table, the subnet mask will be determined as if option "IKE_use_largest_possible_subnets" is set to "true", wherever is relevant. FP3 Note: FP3 ignores setting "IKE_use_largest_possible_subnets" to false. For FP3 HF1, apply HF2 and change the IKE_use_largest_possible_subnet value to false FP2 Note: For FP2 HF 308, when firewall tries to exchange keys with another vendor gateway it uses the largest possible subnet when there are consecutive networks in the Check Point VPN domain, even when the "IKE_use_largest_possible_subnets" option is set to false. Requires modification to the user.def file to set segments manually for encrypted traffic. FP2, if "Support Subnets for Key Exchange" is enabled in Advanced IKE properties, and VPN domain on either local or remote gateway object consists of consecutive subnets, the FP2 gateway will combine these into a larger subnet (or supernet) when presenting its IKE phase 2 identification. This ID is not accepted by the peer gateway which is expecting to see the original smaller subnets. This behavior can be seen in IKE debug from the FP2 gateway. Example: NG FP2 VPN domain consists of networks 192.168.2.0/24 and 192.168.3.0/24. Remote peer, Cisco VPN domain consists of network 10.0.0.0/8. Both gateways are configured with these VPN domains, and both sides support Key exchange per-subnet. If a connection is initiated from either network on the NG FP2 side, the FP2 gateway will attempt to negotiate phase 2 with the Cisco device, but will present the phase 2 ID as follows (the values will actually be sent in hex, but are shown here in decimal): Local side subnet (NG FP2 side): 192.168.2.0/23 Remote side subnet (Cisco side): 10.0.0.0/8 Notice the new subnet mask of the 192.168.2.0 network. Since the Cisco gateway has been configured to negotiate for 192.168.2.0/24 or 192.168.3.0/24, it will not respond to this phase 2 attempt from the FP2 gateway, resulting in one of the above errors in the FP2 Log Viewer.. cheers reinhard -----Ursprüngliche Nachricht----- Von: Miguel Angel Gutierrez [mailto:[EMAIL PROTECTED] Gesendet: Do 29.12.2005 22:42 An: [email protected] Cc: Betreff: Re: [FW-1] IKE IDs subnet ist wrong this worked for me once with a similar case. under the properties of the interoperable device you may have (linux firewall) defined as the remote peer; have you tried to disable the -support key exchange for subnets- (VPN Advanced section) good luck. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Peter Haug Sent: Thursday, December 29, 2005 1:26 PM To: [email protected] Subject: [FW-1] IKE IDs subnet ist wrong Hi, our Firewall is a R60 on SCPLT. we created a site to site VPN with linux Firewall. During IKE negotiation, I see the wrong subnet. It should be a 10.22.0.0/16 but it is 10.20.0.0/14 Our internal networks are 23 subnets from 10.1.0.0/16 to 10.23.0.0/16. I cant finde any network wit the mask /14 in the smartdashboard. Also in the SCPLT I cant find it. where else should I look for this? any hints? Thanks Peter ##### Diese Email wurde durch verschiedene Security Mechanismen geprueft und fuer sauber befunden. Wenn Sie Interesse an diesen Security Checks haben, nehmen Sie mit uns Kontakt auf. http://www.paninfo.com ##### ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
