IPSEC problem with Checkpoint
-
Hello,
Thanks for any help. Trying to setup a IPSEC connection. The tunnel shows up and shows data from my end passing over to the other end ( Checkpoint ) but no data is coming back. The logs on the other side complain of no valid SA. Below are my logs. We verified our settings match on both sides. Does anyone have any suggestions. I'm on the latest version of pfsense 2.3
thanks!
May 6 19:48:23 charon 16[NET] <con1000|1>received packet: from x.x.x.x[500] to x.x.x.x[500] (316 bytes)
May 6 19:48:23 charon 16[IKE] <con1000|1>received retransmit of request with ID 2430477241, but no response to retransmit
May 6 19:48:23 charon 16[MGR] <con1000|1>checkin IKE_SA con1000[1]
May 6 19:48:23 charon 16[MGR] <con1000|1>checkin of IKE_SA successful
May 6 19:48:25 charon 07[CFG] vici client 8 connected
May 6 19:48:25 charon 11[CFG] vici client 8 registered for: list-sa
May 6 19:48:25 charon 16[CFG] vici client 8 requests: list-sas
May 6 19:48:25 charon 16[CFG] vici client 8 disconnected
May 6 19:48:27 charon 02[NET] received packet: from x.x.x.x[500] to x.x.x.x[500]
May 6 19:48:27 charon 02[NET] waiting for data on sockets
May 6 19:48:27 charon 16[MGR] checkout IKEv1 SA by message with SPIs e2425ca47e809f82_i 00d22926f1544b1e_r
May 6 19:48:27 charon 16[MGR] IKE_SA con1000[1] successfully checked out
May 6 19:48:27 charon 16[NET] <con1000|1>received packet: from x.x.x.x[500] to x.x.x.x[500] (316 bytes)
May 6 19:48:27 charon 16[IKE] <con1000|1>received retransmit of request with ID 2430477241, but no response to retransmit
May 6 19:48:27 charon 16[MGR] <con1000|1>checkin IKE_SA con1000[1]
May 6 19:48:27 charon 16[MGR] <con1000|1>checkin of IKE_SA successful
May 6 19:48:30 charon 16[CFG] vici client 9 connected
May 6 19:48:30 charon 16[CFG] vici client 9 registered for: list-sa
May 6 19:48:30 charon 11[CFG] vici client 9 requests: list-sas
May 6 19:48:30 charon 11[CFG] vici client 9 disconnected
May 6 19:48:36 charon 09[CFG] vici client 10 connected
May 6 19:48:36 charon 11[CFG] vici client 10 registered for: list-sa
May 6 19:48:36 charon 09[CFG] vici client 10 requests: list-sas
May 6 19:48:36 charon 11[CFG] vici client 10 disconnected
May 6 19:48:41 charon 11[CFG] vici client 11 connected
May 6 19:48:41 charon 12[CFG] vici client 11 registered for: list-sa
May 6 19:48:41 charon 03[CFG] vici client 11 requests: list-sas
May 6 19:48:41 charon 12[CFG] vici client 11 disconnected
May 6 19:49:31 charon 03[CFG] vici client 12 connected
May 6 19:49:31 charon 11[CFG] vici client 12 registered for: list-sa
May 6 19:49:31 charon 12[CFG] vici client 12 requests: list-sas
May 6 19:49:31 charon 12[CFG] vici client 12 disconnected
May 6 19:49:36 charon 11[CFG] vici client 13 connected
May 6 19:49:36 charon 11[CFG] vici client 13 registered for: list-sa
May 6 19:49:36 charon 11[CFG] vici client 13 requests: list-sas
May 6 19:49:36 charon 11[CFG] vici client 13 disconnected
May 6 19:49:41 charon 11[CFG] vici client 14 connected
May 6 19:49:41 charon 11[CFG] vici client 14 registered for: list-sa
May 6 19:49:41 charon 05[CFG] vici client 14 requests: list-sas
May 6 19:49:41 charon 14[CFG] vici client 14 disconnected</con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1> -
Hi,
I am no IPsec expert but I know that there are often problems with default CheckPoint IPsec configuration when connection to 3rd party vendors. The colleague on the Checkpoint site should enable the vpn debug like described in checkpoint sk14326 - in short:
vpn debug ikeon # enabled debugging vpn debug trunc # rotates the ike.elg logfile vpn tu # reset all related IPsec connections to pfsense and the try to re-establish the connection vpn debug ikeoff # disabled debugging
Now he should sent you the "$FWDIR/log/ike.elg" file for better analysation. Further he can use checkpoint's "ikeview.exe" tool to make the log more beter visible.
Here I found a link to the ikeview.exe - so if you have access to the ike.elg but not to the offical checkpoint download you can try it here:
http://check-point-firewall.blogspot.de/2012/03/roubleshooting-checkpoint-vpns-with.htmlFurther here is a guide and howto - official from checkpoint:
https://www.youtube.com/watch?v=RjylF4xqhEc&feature=youtu.beFurther there is a sk31803 which describes a problem with no valid SA and Cisco ASA - but perhaps something you could check/try:
ymptoms
"Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information" log in SmartView Tracker.VPN between Check Point Security Gateway and Cisco Pix fails.
SmartView Tracker logs may display the following error messages:
No valid SA
Encryption failure: packet is dropped as there is no valid SA
Encryption failure: No response from peer
No proposal chosen
Unable to delete IPSec SA (to reset the tunnel) using the "vpn tu". Rebooting the gateway does not correct this issue.Cause
During IKE Quick Mode Exchange, the VPN daemon negotiates IPSec Security Associations (SAs) with the VPN partner site. If negotiations fail and the exchange does not complete, the VPN daemon has no IPSec SAs to send to the VPN kernel. When VPN kernel waiting for IPsec SA expires (usually 60 seconds) this error message is sent.VPN between Check Point Security Gateway and Cisco Pix may fail because Cisco Tunnel Sharing is configured for host based VPN, while Check Point Tunnel Sharing is usually configured for network based VPN.
VPN between Check Point Security Gateway and Cisco Pix may also fail due to a mismatch in the settings between the two devices. For instance, if the Check Point Security Gateway proposes a network of 192.168.1.X/24, but the Cisco Access list is setup for traffic from 192.168.X.X/16, the connection will fail.
Solution
To resolve the issue where Cisco Tunnel Sharing is configured for host based VPN, while Check Point Tunnel Sharing is configured for network based VPN, proceed as follows:At the Cisco end, check the Crypto Map settings. Find out from the ACLs, if there is a host based VPN setup or a network based VPN setup.
On SmartDashboard, edit the Cisco Interoperable Device object defined on SmartDashboard. Select 'Network Objects > Others > Interoperable Device > VPN > Advanced'. Uncheck 'Support key exchange for subnets'.Note: For NGX R60 and higher, select 'Network Objects > Interoperable Devices > IPSec VPN > VPN Advanced'. Under "VPN Tunnel Sharing", select "Custom Settings" and specify "One VPN tunnel per each pair of hosts".
After completing this procedure, initiate traffic from the source PC. You should be able to see an encrypt in SmartView Tracker.
To resolve the issue due to a mismatch in the settings between the two devices, proceed as follows:Use the 'Tunnel Management' option in the VPN community (under 'Manage > VPN Communities… > (Meshed/Star) Community Properties'). Make sure the VPN Tunnel Sharing options are set correctly for the specific scenario.
Additionally, modify the Cisco Access List to reflect what the Check Point Security Gateway is proposing.
To resolve the issue of being unable to delete IPSec SA using tunnelutil or vpn tuChange the encryption method to "IKEv1" only.
The interesting part in there is that checkpoint summarizes Subnets and often the devices on the other site don't do that and you have to change this on checkpoint site to make the VPN tunnel work.
At least double check that both sites have the correct certificate or PSK and the exact same timeouts, ciphers, hashing and encryption
Good luck!
-
Hello,
I may have the same problem but with the difference that tunnel comes up normaly at the beginning.
When the tunnel are down, the first connecting works normaly without any problem. When i try to reconnect after random time wont connect to the host anymore. Sometimes after few atempt works, sometime only tunelreset helps.
In every start of connection i see traffic going out but no incoming when the connection doesn't work.Here are the logs from a working connection when the tunnel is down and starts a new tunnel:
Dec 21 17:20:21 charon: 09[IKE] <con2000|2> nothing to initiate Dec 21 17:20:21 charon: 09[IKE] <con2000|2> activating new tasks Dec 21 17:20:21 charon: 09[NET] <con2000|2> sending packet: from x.x.x.x[500] to x.x.x.x[500] (60 bytes) Dec 21 17:20:21 charon: 09[ENC] <con2000|2> generating QUICK_MODE request 2350538681 [ HASH ] Dec 21 17:20:21 charon: 09[IKE] <con2000|2> QUICK_MODE task Dec 21 17:20:21 charon: 09[IKE] <con2000|2> reinitiating already active tasks Dec 21 17:20:21 charon: 09[IKE] <con2000|2> CHILD_SA con2002{13} established with SPIs c20a1252_i c6ff300d_o and TS x.x.x.x/24|x.x.x.x/32 === x.x.x.x/32|/0 Dec 21 17:20:21 charon: 09[CHD] <con2000|2> SPI 0xc6ff300d, src x.x.x.x dst x.x.x.x Dec 21 17:20:21 charon: 09[CHD] <con2000|2> adding outbound ESP SA Dec 21 17:20:21 charon: 09[CHD] <con2000|2> SPI 0xc20a1252, src x.x.x.x dst x.x.x.x Dec 21 17:20:21 charon: 09[CHD] <con2000|2> adding inbound ESP SA Dec 21 17:20:21 charon: 09[CHD] <con2000|2> using HMAC_SHA1_96 for integrity Dec 21 17:20:21 charon: 09[CHD] <con2000|2> using AES_CBC for encryption Dec 21 17:20:21 charon: 09[CFG] <con2000|2> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Dec 21 17:20:21 charon: 09[CFG] <con2000|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Dec 21 17:20:21 charon: 09[CFG] <con2000|2> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Dec 21 17:20:21 charon: 09[CFG] <con2000|2> proposal matches Dec 21 17:20:21 charon: 09[CFG] <con2000|2> selecting proposal: Dec 21 17:20:21 charon: 09[ENC] <con2000|2> parsed QUICK_MODE response 2350538681 [ HASH SA No ID ID ] Dec 21 17:20:21 charon: 09[NET] <con2000|2> received packet: from x.x.x.x[500] to x.x.x.x[500] (172 bytes) Dec 21 17:20:21 charon: 09[NET] <con2000|2> sending packet: from x.x.x.x[500] to x.x.x.x[500] (172 bytes) Dec 21 17:20:21 charon: 09[ENC] <con2000|2> generating QUICK_MODE request 2350538681 [ HASH SA No ID ID ] Dec 21 17:20:21 charon: 09[CFG] <con2000|2> x.x.x.x/32|/0 Dec 21 17:20:21 charon: 09[CFG] <con2000|2> proposing traffic selectors for other: Dec 21 17:20:21 charon: 09[CFG] <con2000|2> x.x.x.x/24|x.x.x.x/32 Dec 21 17:20:21 charon: 09[CFG] <con2000|2> proposing traffic selectors for us: Dec 21 17:20:21 charon: 09[CFG] <con2000|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Dec 21 17:20:21 charon: 09[CFG] <con2000|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Dec 21 17:20:21 charon: 09[IKE] <con2000|2> activating QUICK_MODE task Dec 21 17:20:21 charon: 09[IKE] <con2000|2> activating new tasks Dec 21 17:20:21 charon: 09[IKE] <con2000|2> DPD not supported by peer, disabled Dec 21 17:20:21 charon: 09[IKE] <con2000|2> maximum IKE_SA lifetime 86318s Dec 21 17:20:21 charon: 09[IKE] <con2000|2> scheduling reauthentication in 85778s Dec 21 17:20:21 charon: 09[IKE] <con2000|2> IKE_SA con2000[2] state change: CONNECTING => ESTABLISHED Dec 21 17:20:21 charon: 09[IKE] <con2000|2> IKE_SA con2000[2] established between x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x] Dec 21 17:20:21 charon: 09[ENC] <con2000|2> parsed ID_PROT response 0 [ ID HASH ] Dec 21 17:20:21 charon: 09[NET] <con2000|2> received packet: from x.x.x.x[500] to x.x.x.x[500] (76 bytes) Dec 21 17:20:21 charon: 13[NET] <con2000|2> sending packet: from x.x.x.x[500] to x.x.x.x[500] (76 bytes) Dec 21 17:20:21 charon: 13[ENC] <con2000|2> generating ID_PROT request 0 [ ID HASH ] Dec 21 17:20:21 charon: 13[IKE] <con2000|2> MAIN_MODE task Dec 21 17:20:21 charon: 13[IKE] <con2000|2> ISAKMP_VENDOR task Dec 21 17:20:21 charon: 13[IKE] <con2000|2> reinitiating already active tasks Dec 21 17:20:21 charon: 13[ENC] <con2000|2> parsed ID_PROT response 0 [ KE No ] Dec 21 17:20:21 charon: 13[NET] <con2000|2> received packet: from x.x.x.x[500] to x.x.x.x[500] (184 bytes) Dec 21 17:20:21 charon: 13[NET] <con2000|2> sending packet: from x.x.x.x[500] to x.x.x.x[500] (196 bytes) Dec 21 17:20:21 charon: 13[ENC] <con2000|2> generating ID_PROT request 0 [ KE No ] Dec 21 17:20:21 charon: 13[IKE] <con2000|2> MAIN_MODE task Dec 21 17:20:21 charon: 13[IKE] <con2000|2> ISAKMP_VENDOR task Dec 21 17:20:21 charon: 13[IKE] <con2000|2> reinitiating already active tasks Dec 21 17:20:21 charon: 13[CFG] <con2000|2> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Dec 21 17:20:21 charon: 13[CFG] <con2000|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Dec 21 17:20:21 charon: 13[CFG] <con2000|2> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Dec 21 17:20:21 charon: 13[CFG] <con2000|2> proposal matches Dec 21 17:20:21 charon: 13[CFG] <con2000|2> selecting proposal: Dec 21 17:20:21 charon: 13[IKE] <con2000|2> received FRAGMENTATION vendor ID Dec 21 17:20:21 charon: 13[ENC] <con2000|2> parsed ID_PROT response 0 [ SA V ] Dec 21 17:20:21 charon: 13[NET] <con2000|2> received packet: from x.x.x.x[500] to x.x.x.x[500] (108 bytes) Dec 21 17:20:21 charon: 12[NET] <con2000|2> sending packet: from x.x.x.x[500] to x.x.x.x[500] (204 bytes) Dec 21 17:20:21 charon: 12[ENC] <con2000|2> generating ID_PROT request 0 [ SA V V V V V V ] Dec 21 17:20:21 charon: 12[CFG] <con2000|2> configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Dec 21 17:20:21 charon: 12[IKE] <con2000|2> IKE_SA con2000[2] state change: CREATED => CONNECTING Dec 21 17:20:21 charon: 12[IKE] <con2000|2> initiating Main Mode IKE_SA con2000[2] to x.x.x.x Dec 21 17:20:21 charon: 12[IKE] <con2000|2> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID Dec 21 17:20:21 charon: 12[IKE] <con2000|2> sending NAT-T (RFC 3947) vendor ID Dec 21 17:20:21 charon: 12[IKE] <con2000|2> sending FRAGMENTATION vendor ID Dec 21 17:20:21 charon: 12[IKE] <con2000|2> sending Cisco Unity vendor ID Dec 21 17:20:21 charon: 12[IKE] <con2000|2> sending DPD vendor ID Dec 21 17:20:21 charon: 12[IKE] <con2000|2> sending XAuth vendor ID Dec 21 17:20:21 charon: 12[IKE] <con2000|2> activating ISAKMP_NATD task Dec 21 17:20:21 charon: 12[IKE] <con2000|2> activating ISAKMP_CERT_POST task Dec 21 17:20:21 charon: 12[IKE] <con2000|2> activating MAIN_MODE task Dec 21 17:20:21 charon: 12[IKE] <con2000|2> activating ISAKMP_CERT_PRE task Dec 21 17:20:21 charon: 12[IKE] <con2000|2> activating ISAKMP_VENDOR task Dec 21 17:20:21 charon: 12[IKE] <con2000|2> activating new tasks Dec 21 17:20:21 charon: 12[IKE] <con2000|2> queueing QUICK_MODE task Dec 21 17:20:21 charon: 12[IKE] <con2000|2> queueing ISAKMP_NATD task Dec 21 17:20:21 charon: 12[IKE] <con2000|2> queueing ISAKMP_CERT_POST task Dec 21 17:20:21 charon: 12[IKE] <con2000|2> queueing MAIN_MODE task Dec 21 17:20:21 charon: 12[IKE] <con2000|2> queueing ISAKMP_CERT_PRE task Dec 21 17:20:21 charon: 12[IKE] <con2000|2> queueing ISAKMP_VENDOR task</con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2>
Not working connection after started the first tunnel even if Phase 2 comes up (see above):
Dec 21 17:24:36 charon: 15[IKE] <con2000|2> nothing to initiate Dec 21 17:24:36 charon: 15[IKE] <con2000|2> activating new tasks Dec 21 17:24:36 charon: 15[NET] <con2000|2> sending packet: from x.x.x.x[500] to x.x.x.x[500] (60 bytes) Dec 21 17:24:36 charon: 15[ENC] <con2000|2> generating QUICK_MODE request 2771841884 [ HASH ] Dec 21 17:24:36 charon: 15[IKE] <con2000|2> QUICK_MODE task Dec 21 17:24:36 charon: 15[IKE] <con2000|2> reinitiating already active tasks Dec 21 17:24:36 charon: 15[IKE] <con2000|2> CHILD_SA con2001{15} established with SPIs c1146b38_i 12396eb1_o and TS x.x.x.x/24|x.x.x.x/32 === x.x.x.x/32|/0 Dec 21 17:24:36 charon: 15[CHD] <con2000|2> SPI 0x12396eb1, src x.x.x.x dst x.x.x.x Dec 21 17:24:36 charon: 15[CHD] <con2000|2> adding outbound ESP SA Dec 21 17:24:36 charon: 15[CHD] <con2000|2> SPI 0xc1146b38, src x.x.x.x dst x.x.x.x Dec 21 17:24:36 charon: 15[CHD] <con2000|2> adding inbound ESP SA Dec 21 17:24:36 charon: 15[CHD] <con2000|2> using HMAC_SHA1_96 for integrity Dec 21 17:24:36 charon: 15[CHD] <con2000|2> using AES_CBC for encryption Dec 21 17:24:36 charon: 15[CFG] <con2000|2> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Dec 21 17:24:36 charon: 15[CFG] <con2000|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Dec 21 17:24:36 charon: 15[CFG] <con2000|2> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Dec 21 17:24:36 charon: 15[CFG] <con2000|2> proposal matches Dec 21 17:24:36 charon: 15[CFG] <con2000|2> selecting proposal: Dec 21 17:24:36 charon: 15[ENC] <con2000|2> parsed QUICK_MODE response 2771841884 [ HASH SA No ID ID ] Dec 21 17:24:36 charon: 15[NET] <con2000|2> received packet: from x.x.x.x[500] to x.x.x.x[500] (172 bytes) Dec 21 17:24:36 charon: 11[NET] <con2000|2> sending packet: from x.x.x.x[500] to x.x.x.x[500] (172 bytes) Dec 21 17:24:36 charon: 11[ENC] <con2000|2> generating QUICK_MODE request 2771841884 [ HASH SA No ID ID ] Dec 21 17:24:36 charon: 11[CFG] <con2000|2> x.x.x.x/32|/0 Dec 21 17:24:36 charon: 11[CFG] <con2000|2> proposing traffic selectors for other: Dec 21 17:24:36 charon: 11[CFG] <con2000|2> x.x.x.x/24|x.x.x.x/32 Dec 21 17:24:36 charon: 11[CFG] <con2000|2> proposing traffic selectors for us: Dec 21 17:24:36 charon: 11[CFG] <con2000|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Dec 21 17:24:36 charon: 11[CFG] <con2000|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ Dec 21 17:24:36 charon: 11[IKE] <con2000|2> activating QUICK_MODE task Dec 21 17:24:36 charon: 11[IKE] <con2000|2> activating new tasks Dec 21 17:24:36 charon: 11[IKE] <con2000|2> queueing QUICK_MODE task</con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2></con2000|2>
in Attachment logs from Checkpoint.
i'm trying to find out if the Customer has a FW and if there they see load traffic going out.
someone has a suggestion?
-
Has anyone figured out the issue? I can't get any documentation on how to correctly set a IPSec VPN between Pfsense and Checkpoint, it's like searching through the Bermuda triangle. Any help or pointers would be much appreciated...