Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Site - Site VPN using Carp versus CheckPoint Firewall

    IPsec
    2
    6
    6487
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hsiang last edited by

      I had done the below:

      pfsenseA
                                    |||||||||||||||| CARP a.b.c.d                              1.2.3.4
      –--------------------                      --------------  internet -------------------|||||||||||--------------- LAN 10.10.0.0/16
      LAN 192.168.0.0/16    ||||||||||||||||                                                            check point
                                      pfsenseB

      In PFSense A (master)
      1. IPSEC - Tunnel - check on enable IPSEC
      2. Create Tunnel
          Interface : WAN
          Local Subnet : network - 192.168.0.0/16
          Remote Subnet : 10.10.0.0/16
          Remote gateway : 1.2.3.4

      Phase 1
          Negotiation Mode : aggressive
          My Identifier : IP address : a.b.c.d (Carp IP)
          Encryption algorithm : 3DES
          Hash algorithm : MD5
          DH Key Group : 2
          Lifetime : 1440
          Authentication Method : pre-shared key
          Pre-shared Key : Secret

      Phase 2
          Protocol : AH
          Encryption algorithms : 3DES
          Hash algorithms : MD5
          PFS Key Group : Off
          Lifetime: 1440

      2. Under Preshared Key
          Identifier : 1.2.3.4
          Key : Secret

      3. Failover IPSEC
          IP Address : a.b.c.d

      The rules are sync automatically to PFsense B.

      The configuration at Check Point
      Remote gateway - CARP IP a.b.c.d
      Other setting are the same.

      Questions:
      1. I checked under Status IPSEC - SAD, there isn't anything there just have "No IPsec security associations". Does it mean the VPN establishment is failed??

      Any step i missed?

      Regards
      Hsiang

      1 Reply Last reply Reply Quote 0
      • H
        hoba last edited by

        Tunnels come up on demand only. Make sure to send some Traffic to the destination of the other subnet. Also make sure the opposite end expects you coming from the CARP IP and not one of the real interface IPs. And of course make sure your a.b.c.d CARP IP works.

        If there is no SAD it means the tunnel is not currently up.

        1 Reply Last reply Reply Quote 0
        • H
          hsiang last edited by

          1. i tried to send some traffic to destination network 10.10.x.x. but failed. the log as below:
              Feb 28 14:22:36 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
              Feb 28 14:22:44 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 1.2.3.4[500]->a.b.c.d[500]
              Feb 28 14:22:44 racoon: INFO: delete phase 2 handler

          2. Opposite party had set the remote gateway as a.b.c.d (Carp IP). Carp IP is working as when i check my IP address other view me as the Carp IP address.

          Any further advice?

          1 Reply Last reply Reply Quote 0
          • H
            hoba last edited by

            this looks like it's not getting response from the checkpoint to me. Is this all that is in the logs?

            1 Reply Last reply Reply Quote 0
            • H
              hsiang last edited by

              Attached the full log

              log-28022007.txt

              1 Reply Last reply Reply Quote 0
              • H
                hoba last edited by

                Feb 28 14:23:21 racoon: ERROR: malformed cookie received.

                The checkpoint seems to send something strange. Revisit all parameters and check if they are abolutely identical. Maybe try using mainmode instead of aggressive.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post