Site - Site VPN using Carp versus CheckPoint Firewall
-
I had done the below:
pfsenseA
|||||||||||||||| CARP a.b.c.d 1.2.3.4
–-------------------- -------------- internet -------------------|||||||||||--------------- LAN 10.10.0.0/16
LAN 192.168.0.0/16 |||||||||||||||| check point
pfsenseBIn PFSense A (master)
1. IPSEC - Tunnel - check on enable IPSEC
2. Create Tunnel
Interface : WAN
Local Subnet : network - 192.168.0.0/16
Remote Subnet : 10.10.0.0/16
Remote gateway : 1.2.3.4Phase 1
Negotiation Mode : aggressive
My Identifier : IP address : a.b.c.d (Carp IP)
Encryption algorithm : 3DES
Hash algorithm : MD5
DH Key Group : 2
Lifetime : 1440
Authentication Method : pre-shared key
Pre-shared Key : SecretPhase 2
Protocol : AH
Encryption algorithms : 3DES
Hash algorithms : MD5
PFS Key Group : Off
Lifetime: 14402. Under Preshared Key
Identifier : 1.2.3.4
Key : Secret3. Failover IPSEC
IP Address : a.b.c.dThe rules are sync automatically to PFsense B.
The configuration at Check Point
Remote gateway - CARP IP a.b.c.d
Other setting are the same.Questions:
1. I checked under Status IPSEC - SAD, there isn't anything there just have "No IPsec security associations". Does it mean the VPN establishment is failed??Any step i missed?
Regards
Hsiang -
Tunnels come up on demand only. Make sure to send some Traffic to the destination of the other subnet. Also make sure the opposite end expects you coming from the CARP IP and not one of the real interface IPs. And of course make sure your a.b.c.d CARP IP works.
If there is no SAD it means the tunnel is not currently up.
-
1. i tried to send some traffic to destination network 10.10.x.x. but failed. the log as below:
Feb 28 14:22:36 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Feb 28 14:22:44 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 1.2.3.4[500]->a.b.c.d[500]
Feb 28 14:22:44 racoon: INFO: delete phase 2 handler2. Opposite party had set the remote gateway as a.b.c.d (Carp IP). Carp IP is working as when i check my IP address other view me as the Carp IP address.
Any further advice?
-
this looks like it's not getting response from the checkpoint to me. Is this all that is in the logs?
-
Attached the full log
-
Feb 28 14:23:21 racoon: ERROR: malformed cookie received.
The checkpoint seems to send something strange. Revisit all parameters and check if they are abolutely identical. Maybe try using mainmode instead of aggressive.