Issue #2783: Problem with tunnel to Checkpoint Firewall - strongSwan

Issue #2783

Problem with tunnel to Checkpoint Firewall

Added by Stuart Willson almost 7 years ago. Updated over 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Category:

interoperability

Affected version:

5.2.1

Resolution:

No feedback

Description

Hello,

I'm struggling to get a tunnel between Strongswan (5.2.1) and a Checkpoint firewall (R80.10) working.

Symptoms are:

1. I'm able to bring the tunnel up from the Strongswan end but it won't establish if they try from the Checkpoint side.
2. I'm able to ping a server on the remote private subnet from a server on my private subnet, but if they try and send any traffic from the Checkpoint side the tunnel status goes from "Installed" to "Rekeying" and traffic doesn't pass. The tunnel continues passing traffic ok from my side.

Config :

        left=1.2.3.4
        leftsubnet=10.70.100.0/24
        leftid=1.2.3.4
        leftauth=psk
        rightauth=psk
        ikelifetime=86400s
        keylife=28800s
        right=5.6.7.8
        rightsubnet=10.51.249.0/24
        rightid=%any
        ike=aes256-sha256-modp2048!
        esp=aes256-sha256!
        dpdaction=hold
        type=tunnel
        auto=route
        keyingtries=%forever
        keyexchange=ikev1
        authby=secret
        compress=no
        dpddelay=30s
        dpdtimeout=150s

The log output seems to suggest that the Checkpoint end is expecting an ID that is different to the one I'm using?

Oct  2 09:25:33 04[NET] <vpn3|875> received packet: from 5.6.7.8[500] to 1.2.3.4[500] (92 bytes)
Oct  2 09:25:33 04[ENC] <vpn3|875> parsing body of message, first payload is HASH_V1
Oct  2 09:25:33 04[ENC] <vpn3|875> parsing ENCRYPTED_V1 payload, 64 bytes left
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 0 ENCRYPTED_DATA
Oct  2 09:25:33 04[ENC] <vpn3|875> parsing ENCRYPTED_V1 payload finished
Oct  2 09:25:33 04[ENC] <vpn3|875> process payload of type ENCRYPTED_V1
Oct  2 09:25:33 04[ENC] <vpn3|875> found an encrypted payload
Oct  2 09:25:33 04[ENC] <vpn3|875> parsing HASH_V1 payload, 64 bytes left
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 0 U_INT_8
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 1 RESERVED_BYTE
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 2 PAYLOAD_LENGTH
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 3 CHUNK_DATA
Oct  2 09:25:33 04[ENC] <vpn3|875> parsing HASH_V1 payload finished
Oct  2 09:25:33 04[ENC] <vpn3|875> parsing NOTIFY_V1 payload, 28 bytes left
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 0 U_INT_8
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 1 RESERVED_BIT
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 2 RESERVED_BIT
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 3 RESERVED_BIT
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 4 RESERVED_BIT
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 5 RESERVED_BIT
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 6 RESERVED_BIT
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 7 RESERVED_BIT
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 8 RESERVED_BIT
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 9 PAYLOAD_LENGTH
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 10 U_INT_32
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 11 U_INT_8
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 12 SPI_SIZE
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 13 U_INT_16
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 14 SPI
Oct  2 09:25:33 04[ENC] <vpn3|875>   parsing rule 15 CHUNK_DATA
Oct  2 09:25:33 04[ENC] <vpn3|875> parsing NOTIFY_V1 payload finished
Oct  2 09:25:33 04[ENC] <vpn3|875> parsed content of encrypted payload
Oct  2 09:25:33 04[ENC] <vpn3|875> insert decrypted payload of type HASH_V1 at end of list
Oct  2 09:25:33 04[ENC] <vpn3|875> insert decrypted payload of type NOTIFY_V1 at end of list
Oct  2 09:25:33 04[ENC] <vpn3|875> verifying message structure
Oct  2 09:25:33 04[ENC] <vpn3|875> found payload of type NOTIFY_V1
Oct  2 09:25:33 04[ENC] <vpn3|875> found payload of type NOTIFY_V1
Oct  2 09:25:33 04[ENC] <vpn3|875> parsed INFORMATIONAL_V1 request 3977328929 [ HASH N(INVAL_ID) ]
Oct  2 09:25:33 04[IKE] <vpn3|875> received INVALID_ID_INFORMATION error notify
Oct  2 09:25:33 04[IKE] <vpn3|875> received INVALID_ID_INFORMATION error notify
Oct  2 09:25:33 04[KNL] <vpn3|875> deleting SAD entry with SPI c22066f8  (mark 0/0x00000000)
Oct  2 09:25:33 04[KNL] <vpn3|875> deleted SAD entry with SPI c22066f8 (mark 0/0x00000000)
Oct  2 09:25:33 04[MGR] <vpn3|875> checkin IKE_SA vpn3[875]
Oct  2 09:25:33 04[MGR] <vpn3|875> check-in of IKE_SA successful.
Oct  2 09:25:37 06[MGR] IKE_SA vpn3[875] successfully checked out
Oct  2 09:25:37 06[MGR] <vpn3|875> checkin IKE_SA vpn3[875]
Oct  2 09:25:37 06[MGR] <vpn3|875> check-in of IKE_SA successful.
Oct  2 09:26:00 07[MGR] IKE_SA vpn3[875] successfully checked out
Oct  2 09:26:00 07[KNL] <vpn3|875> querying policy 10.51.249.0/24 === 10.70.100.0/24 in  (mark 0/0x00000000)
Oct  2 09:26:00 07[KNL] <vpn3|875> querying policy 10.51.249.0/24 === 10.70.100.0/24 fwd  (mark 0/0x00000000)
Oct  2 09:26:00 07[KNL] <vpn3|875> querying SAD entry with SPI c7b99c72  (mark 0/0x00000000)
Oct  2 09:26:00 07[MGR] <vpn3|875> checkin IKE_SA vpn3[875]
Oct  2 09:26:00 07[MGR] <vpn3|875> check-in of IKE_SA successful.
Oct  2 09:26:00 09[MGR] IKE_SA vpn3[875] successfully checked out
Oct  2 09:26:00 09[KNL] <vpn3|875> querying policy 10.51.249.0/24 === 10.70.100.0/24 in  (mark 0/0x00000000)
Oct  2 09:26:00 09[KNL] <vpn3|875> querying policy 10.51.249.0/24 === 10.70.100.0/24 fwd  (mark 0/0x00000000)
Oct  2 09:26:00 09[KNL] <vpn3|875> querying SAD entry with SPI c7b99c72  (mark 0/0x00000000)
Oct  2 09:26:00 09[MGR] <vpn3|875> checkin IKE_SA vpn3[875]
Oct  2 09:26:00 09[MGR] <vpn3|875> check-in of IKE_SA successful.
Oct  2 09:26:03 01[MGR] IKE_SA vpn3[875] successfully checked out
Oct  2 09:26:03 01[KNL] <vpn3|875> querying policy 10.51.249.0/24 === 10.70.100.0/24 in  (mark 0/0x00000000)
Oct  2 09:26:03 01[KNL] <vpn3|875> querying policy 10.51.249.0/24 === 10.70.100.0/24 fwd  (mark 0/0x00000000)
Oct  2 09:26:03 01[KNL] <vpn3|875> querying SAD entry with SPI c7b99c72  (mark 0/0x00000000)
Oct  2 09:26:03 01[IKE] <vpn3|875> sending DPD request
Oct  2 09:26:03 01[IKE] <vpn3|875> queueing ISAKMP_DPD task
Oct  2 09:26:03 01[IKE] <vpn3|875> activating new tasks
Oct  2 09:26:03 01[IKE] <vpn3|875>   activating ISAKMP_DPD task
Oct  2 09:26:03 01[ENC] <vpn3|875> added payload of type NOTIFY_V1 to message
Oct  2 09:26:03 01[ENC] <vpn3|875> order payloads in message
Oct  2 09:26:03 01[ENC] <vpn3|875> added payload of type NOTIFY_V1 to message
Oct  2 09:26:03 01[ENC] <vpn3|875> generating INFORMATIONAL_V1 request 1193356106 [ HASH N(DPD) ]
Oct  2 09:26:03 01[ENC] <vpn3|875> insert payload HASH_V1 into encrypted payload
Oct  2 09:26:03 01[ENC] <vpn3|875> insert payload NOTIFY_V1 into encrypted payload
Oct  2 09:26:03 01[ENC] <vpn3|875> generating payload of type HEADER
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 0 IKE_SPI
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 1 IKE_SPI
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 2 U_INT_8
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 3 U_INT_4
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 4 U_INT_4
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 5 U_INT_8
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 6 RESERVED_BIT
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 7 RESERVED_BIT
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 8 FLAG
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 9 FLAG
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 10 FLAG
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 11 FLAG
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 12 FLAG
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 13 FLAG
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 14 U_INT_32
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 15 HEADER_LENGTH
Oct  2 09:26:03 01[ENC] <vpn3|875> generating HEADER payload finished
Oct  2 09:26:03 01[ENC] <vpn3|875> generating payload of type HASH_V1
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 0 U_INT_8
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 1 RESERVED_BYTE
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 2 PAYLOAD_LENGTH
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 3 CHUNK_DATA
Oct  2 09:26:03 01[ENC] <vpn3|875> generating HASH_V1 payload finished
Oct  2 09:26:03 01[ENC] <vpn3|875> generating payload of type NOTIFY_V1
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 0 U_INT_8
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 1 RESERVED_BIT
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 2 RESERVED_BIT
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 3 RESERVED_BIT
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 4 RESERVED_BIT
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 5 RESERVED_BIT
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 6 RESERVED_BIT
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 7 RESERVED_BIT
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 8 RESERVED_BIT
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 9 PAYLOAD_LENGTH
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 10 U_INT_32
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 11 U_INT_8
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 12 SPI_SIZE
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 13 U_INT_16
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 14 SPI
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 15 CHUNK_DATA
Oct  2 09:26:03 01[ENC] <vpn3|875> generating NOTIFY_V1 payload finished
Oct  2 09:26:03 01[ENC] <vpn3|875> generated content in encrypted payload
Oct  2 09:26:03 01[ENC] <vpn3|875> generating payload of type ENCRYPTED_V1
Oct  2 09:26:03 01[ENC] <vpn3|875>   generating rule 0 ENCRYPTED_DATA
Oct  2 09:26:03 01[ENC] <vpn3|875> generating ENCRYPTED_V1 payload finished
Oct  2 09:26:03 01[NET] <vpn3|875> sending packet: from 1.2.3.4[500] to 5.6.7.8[500] (108 bytes)
Oct  2 09:26:03 01[IKE] <vpn3|875> activating new tasks
Oct  2 09:26:03 01[IKE] <vpn3|875> nothing to initiate

The chap at the Checkpoint end says their settings all match mine. Please could you confirm that I'm reading the logs right and that the mis-matching ID does seem to be causing the problem?

Many thanks

Stuart

History

#1 Updated by Tobias Brunner almost 7 years ago

Description updated (diff)
Category set to interoperability
Status changed from New to Feedback

Please could you confirm that I'm reading the logs right and that the mis-matching ID does seem to be causing the problem?

The log is a bit short, so we don't see what kind of exchange that is or in what context it occurs (and please use the log levels given on HelpRequests). But if it's a Quick Mode exchange it could be a problem with the traffic selectors (which are transported in ID payloads in IKEv1). Make sure left|rightsubnet matches the other end's configuration exactly. As responder, strongSwan narrows traffic selectors (just like it does for IKEv2), so it's fine if the peer proposes e.g. a subset of the configured traffic selectors, but other implementations might not support that (i.e. will have a problem if strongSwan proposes its non-matching traffic selectors).

#2 Updated by Stuart Willson almost 7 years ago

Thanks, Tobias. I'll double-check that the traffic selectors match.

#3 Updated by Noel Kuntze over 6 years ago

Status changed from Feedback to Closed
Resolution set to No feedback

Project

General

Profile