The default option of "one tunnel per subnet pair" is the one that complies
with IPSec standard and you should not change it when doing VPN against
"interoperable devices", I read something about that quite a while ago. In
fact the same document said the other two options ("one tunnel per host
pair" and "one tunnel per gateway pair") are Check Point supported only.So maybe, changing that setting to "one VPN tunnel per each pair of hosts" could be part of the problem. On any case I don't think there is an easy way to go around the supernetting issue if you bump into it, if that is the case, you must go with the changes suggested by Czar. Regards On Tue, Jun 30, 2009 at 5:36 AM, <[email protected]> wrote: > Hi Shiroma, > > Unfortunately, by setting it the gui alone will not resolve the issue. This > is spelled out by cp itself. > > You have to do it manually via dbedit and changing user.def. For your case, > you define it only for a host. You can checkout the syntax on how to define > a host only. Checkout sk39419 - it outlines CheckPoint's official solution > (I just did a search on supernetting). > > The bottom line is its how cp fw works and it's up to you whether or not > you > want to follow cp's procedure to resolve your issue (assuming at the cisco > end the settings are correct). > > Best of luck. > > ta > czar > > > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]] On Behalf Of Shiroma > Dassanayake > Sent: Monday, 29 June 2009 8:48 PM > To: [email protected] > Subject: Re: [FW-1] site to site VPN failing with Cisco Pix 515 and 505 > > Hi Czar > > It is to address the supernetting issue that I have selected "one VPN > tunnel per each pair of hosts" under tunnel management. The encryption > domain of each tunnel comprises a single host only. > > Regards > Shiroma > > > > --- On Mon, 6/29/09, [email protected] <[email protected]> wrote: > > > From: [email protected] <[email protected]> > Subject: Re: [FW-1] site to site VPN failing with Cisco Pix 515 and 505 > To: [email protected] > Date: Monday, June 29, 2009, 2:07 AM > > > Hi Shiroma, > > I just run into this kind of problem very recently. > > I think you have a supernetting issue. You must have defined subnets that > are consecutive. > > If this is the case, by default, fw1 will supernet it automatically. You > can > confirm this if at the cisco ends, the ip address is appearing at a higher > subnet, ie you initiated a traffic at a /24 address, it would appear at the > cisco end as something like a /22 address. > > First, you can google for user.def +checkpoint or search the CP knowledge > base for the solution. > > From memory, you have to use dbedit to change the behaviour at the > smartcenter server. NB close all fw1 apps. > > (run dbedit ? To verify syntax) > > dbedit> modify properties firewall_properties > ike_use_largest_possible_subnets false > > bbedit> update properties firewall_properties > > bbedit> quit --update_all > > Then you have to manually edit $FW1/lib/user.def file using plain text > editor ie Notepad. But make a backup copy first. > > Then put in your subnets as in following example > > ------------------------------ > #ifndef __user_def__ > #define __user_def__ > > // > // User defined INSPECT code > // > > max_subnet_for_range = { > <first_IP_in_range, last_IP_in_the_range; subnet_mask>, <first_IP_in_range, > last_IP_in_the_range; subnet_mask>, ... > <first_IP_in_range, last_IP_in_the_range; subnet_mask> }; > > #endif /* __user_def__ */ > ------------------------------ > > Save it. Then install the policy. > > In the Knowledge base, there are other examples. Check it out. > > Good luck. > > ta > czar > > -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[email protected]] On Behalf Of Shiroma > Dassanayake > Sent: Monday, 29 June 2009 1:41 PM > To: [email protected] > Subject: [FW-1] site to site VPN failing with Cisco Pix 515 and 505 > > Hi admins > > I have 3 site-site VPNs with three different Cisco models. The site-site > with the ASA 5510 works. However the VPNs with the 515 and the 505 don't > work. To exclude the subnets issue, I have selected "one VPN tunnel per > each > pair of hosts" under tunnel management. > > The keys are exchanged successfully and main mode completes. However when > traffic is inititiated (in either direction) the packet is dropped as > encryption fails as there is no valid SA. I have seen several references to > this error on SK but none of the suggested workarounds seem to work. > > Any ideas?? > > Regards > Shiroma > > > > > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, email > [email protected] > ================================================= > > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, email > [email protected] > ================================================= > > > > > > > Scanned by Check Point Total Security Gateway. > > > ================================================= > To set vacation, Out-Of-Office, or away messages, send an email to > [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your subscription options, email > [email protected] > ================================================= > > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > -- Sergio Alvarez +(506)88301342 Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
