Wednesday, December 8, 2010

Pfsense to Checkpoint IPSec tunnel issues

I had to set an IPSec tunnel between two sites, one running Pfsense (PF) as its perimeter Firewall and the other Checkpoint (CP). PF had one local subnet under it. CP had multiple subnets. The superset of all these subnets in CIDR on CP included more subnets that were actually configured. After setting the tunnel between the single PF network and the superset of networks on CP, the traffic could only pass in one direction – from clients under PF to the clients under CP.

Here are the errors I got on each end:


PF:

Jun 7 05:25:24 racoon: ERROR: failed to pre-process packet.
Jun 7 05:25:24 racoon: ERROR: failed to get sainfo.
Jun 7 05:25:24 racoon: ERROR: failed to get sainfo.
Jun 7 05:25:24 racoon: INFO: respond new phase 2 negotiation:

CP:

Error: "Packet is dropped because there is no valid SA -
please refer to solution sk19423 in SecureKnowledge Database for more information"

Many the sources I looked for to find a clue were pointing to incorrect subnet specifications on one of the ends of the tunnel. The superset of networks on CP was certainly the culprit and here is what finally worked for me:


Step1 (on CP firewall):

On CheckPoint R60 NG there is an option “ike use largest possible subnets”. By default it is set to “true”. This force the VPN on the CP to summarize subnet information sent in phase 2 of IKE key exchange. In the case of more than one subnet some superset of subnets is calculated and sent. That might be different from the destination network configured on PF side, which can be either a superset of subnets or even one of the subnets on CP.

To fix this behavior the option above need to be changed to “false”.

There are two ways to do it:

1. Through Check Point database tool. That is the option I used.

a. Close all Smart DashBoard sessions.
Run the database tool and connect with your regular credentials.
In my installation it was found in:
“C:\Program Files\CheckPoint\SmartConsole\R60\PROGRAM\GuiDBedit.exe”
b. Under Firewall->Properties find the option “ike use largest possible subnets” and
change the value to “false”.
c. Save and exit the Database tool.
d. Push the policy to the node(s) in the regular way.

2. Through CLI using DBEDIT:

a. Close all Smart DashBoard sessions
b. On a command line run “dbedit”
c. Run – “modify properties firewall_properties ike_use_largest_possible_subnets false”
d. Run – “update properties firewall_properties”
e. Quit
f. Install policy to the node(s) in the regular way.

Step 2 (on PF firewall):

For each of the subnets on CP, build separate IPSEC tunnel on PF.
These tunnels properly worked in both directions.

It looks like the issue is common when the tunnel is set between CheckPoint and other types of VPN gateways like Pfsense or CISCO PIX.

When similar tunnels were set between two CheckPoint gateways, I had no such issues and the two were able to properly calculate their set of subnets on both ends. In this case one VPN tunnel including all subnets was sufficient.

No comments:

Post a Comment