Hi Shiroma, Unfortunately, by setting it the gui alone will not resolve the issue. This is spelled out by cp itself.
You have to do it manually via dbedit and changing user.def. For your case, you define it only for a host. You can checkout the syntax on how to define a host only. Checkout sk39419 - it outlines CheckPoint's official solution (I just did a search on supernetting). The bottom line is its how cp fw works and it's up to you whether or not you want to follow cp's procedure to resolve your issue (assuming at the cisco end the settings are correct). Best of luck. ta czar -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Shiroma Dassanayake Sent: Monday, 29 June 2009 8:48 PM To: [email protected] Subject: Re: [FW-1] site to site VPN failing with Cisco Pix 515 and 505 Hi Czar It is to address the supernetting issue that I have selected "one VPN tunnel per each pair of hosts" under tunnel management. The encryption domain of each tunnel comprises a single host only. Regards Shiroma --- On Mon, 6/29/09, [email protected] <[email protected]> wrote: From: [email protected] <[email protected]> Subject: Re: [FW-1] site to site VPN failing with Cisco Pix 515 and 505 To: [email protected] Date: Monday, June 29, 2009, 2:07 AM Hi Shiroma, I just run into this kind of problem very recently. I think you have a supernetting issue. You must have defined subnets that are consecutive. If this is the case, by default, fw1 will supernet it automatically. You can confirm this if at the cisco ends, the ip address is appearing at a higher subnet, ie you initiated a traffic at a /24 address, it would appear at the cisco end as something like a /22 address. First, you can google for user.def +checkpoint or search the CP knowledge base for the solution. >From memory, you have to use dbedit to change the behaviour at the smartcenter server. NB close all fw1 apps. (run dbedit ? To verify syntax) dbedit> modify properties firewall_properties ike_use_largest_possible_subnets false bbedit> update properties firewall_properties bbedit> quit --update_all Then you have to manually edit $FW1/lib/user.def file using plain text editor ie Notepad. But make a backup copy first. Then put in your subnets as in following example ------------------------------ #ifndef __user_def__ #define __user_def__ // // User defined INSPECT code // max_subnet_for_range = { <first_IP_in_range, last_IP_in_the_range; subnet_mask>, <first_IP_in_range, last_IP_in_the_range; subnet_mask>, ... <first_IP_in_range, last_IP_in_the_range; subnet_mask> }; #endif /* __user_def__ */ ------------------------------ Save it. Then install the policy. In the Knowledge base, there are other examples. Check it out. Good luck. ta czar -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Shiroma Dassanayake Sent: Monday, 29 June 2009 1:41 PM To: [email protected] Subject: [FW-1] site to site VPN failing with Cisco Pix 515 and 505 Hi admins I have 3 site-site VPNs with three different Cisco models. The site-site with the ASA 5510 works. However the VPNs with the 515 and the 505 don't work. To exclude the subnets issue, I have selected "one VPN tunnel per each pair of hosts" under tunnel management. The keys are exchanged successfully and main mode completes. However when traffic is inititiated (in either direction) the packet is dropped as encryption fails as there is no valid SA. I have seen several references to this error on SK but none of the suggested workarounds seem to work. Any ideas?? Regards Shiroma ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
