1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VPN Tunnel to Checkpoint Firewall

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Scallica, Sep 17, 2005.

  1. Scallica

    Scallica Network Guru Member

    Hello,

    I am trying to setup a VPN tunnel between a WRV54G and a Checkpoint firewall. The WRV54G has beta firmware 2.38.6.


    I am able to setup a Linksys-to-Checkpoint VPN tunnel using the regular Linksys VPN router (BEFVP41).

    In the WRV54G, when I click the connect button, it displays "Waiting for Connection".

    I looked at the Checkpoint logs, and it says, "IKE: Main Mode Completion". During a successful connection using the BEFVP41, after the Main Mode completion log entry, there is another entry that says, "IKE: Quick Mode Completion". This entry also lists the two subnets that are binded.

    My question is, why is the WRV54G not doing the IKE: Quick Mode Completion?

    Thanks,
    Scallica
     
  2. DocLarge

    DocLarge Super Moderator Staff Member Member

    Try this on your WRV54G:

    local secure group: subnet

    remote secure group: any

    remote secure gateway: any

    This is the "hail mary" manuever for this device...

    Doc
     
  3. Scallica

    Scallica Network Guru Member

    no luck

    Thanks for the reply. I tried your suggestion and it did not work.

    I did some more research, and it seems Quick Mode is done during Phase 2.

    It appears that the VPN tunnel negotiation is stopping after Phase 1 completes.

    This is very strange because I am able to build a tunnel to a Sonicwall firewall. I am also able to build a tunnel to a Checkpoint firewall using the older Linksys VPN router...same exact configuration.

    Do you think this issue could be caused by bugs in the firmware?
     
  4. DocLarge

    DocLarge Super Moderator Staff Member Member

    What are you using as a pre shared key if you don't mind my asking?

    Doc
     
  5. kspare

    kspare Computer Guy Staff Member Member

    Could you post a link or let us know where you got that version of firmware?
     
  6. Scallica

    Scallica Network Guru Member

    Linksys technical support emailed it to me.
     
  7. kspare

    kspare Computer Guy Staff Member Member

  8. JonAlthoff

    JonAlthoff Network Guru Member

    I would say that the WRV54G is a VPN Endpoint router like it says somewhere. It was not on the box when I bought it. For the most part it accepts incoming connections better than it initiates connections. I will alot of time remote control my remote router to establish a connection. That seems to be the only way I can establish a connection. I would like firmware 2.38.6 as well. Can you PM the admins and get it uploaded to linksysinfo.org?
     
  9. Scallica

    Scallica Network Guru Member

    No. Linksys prohibits the distribution of their beta firmware.
     
  10. kspare

    kspare Computer Guy Staff Member Member

    Huh? I've never seen this, infact they have beta firmware on their ftp site for all other models.
     
  11. Scallica

    Scallica Network Guru Member

    Here is what it said in the email I received. Maybe this firmware is top secret.

    Dear Valued Linksys Customer,
    Attached with this email is the beta firmware for the router. Before upgrading, please bear in mind that the firmware is a BETA version and is currently being tested. Linksys would not be liable should any damage occur in your system. The firmware is not for distribution and testing should be kept confidential. Any reproduction or distribution of this firmware or any portion of it may result in severe civil and criminal penalties, and will be prosecuted to the maximum extent possible under the law.
     
  12. kspare

    kspare Computer Guy Staff Member Member

    What problem did you report to obtain this software?
     
  13. Scallica

    Scallica Network Guru Member

    In the original firmware, 2.37.1, there are serious bugs in the VPN tunnel area.

    --When SHA1 is selected on the main page, MD5 is displayed in the Phase 2 area of the Advanced Page.
    --When 3DES is selected on the main page, Disabled is displayed in the Phase 2 area of the Advanced Page.

    The 2.38.6 firmware has solved these issues. Now I am having a new issue which is described in the first post of this thread.

    Send an email to Linksys support. I am sure they will send you the beta firmware if you ask for it.
     
  14. Jay5

    Jay5 Network Guru Member

    I would just like to add that I am in the same boat.

    After spending two hours on the phone with Linksys I realized they dont have a clue.

    I like an idot listen to thier support and upgraded the firmware and lost the ablity to do SHA1 on phase two. The one thing you can do to get around that one is use MD5 on the main screen and MD5 on the phase one and that seems to work with checkpoint if you also set it to MD5.

    I can get the tunnel working if I create traffic on the Linksys side, it will create the tunnel and allow me access to items on the other side. The problem is that my computers on the checkpoint side can not gain access via the tunnel to the computers behind the linksys side.

    I have open tickets with both Checkpoint and Linksys. If anyone has finished this config please share.

    Thanks

    j5
     
  15. DocLarge

    DocLarge Super Moderator Staff Member Member

    Jay,

    have you checked the mapping and permissions that allows access for computers on the checkpoint side in case one of the settings are off?

    Doc
     
  16. Jay5

    Jay5 Network Guru Member

    Thank you for resonding, yes I have a ANY (Checkpoint Side) to Linksys Network Side Allow over that VPN community.

    I know what it is, when check point tries to make the tunnel its getting a bunch of SA errors.

    And from the Linksys Box via Syslog I get this:

    Sep 23 14:52:42 2005 linksys Sep 23 14:52:42 pluto[33]: "ips0" #72: cannot respond to IPsec SA request because no connection is known for <LinksysNetwork>/24===<LinksysPublicIP>...<CheckpointPublicIP>===<CheckpointInternalNetwork>

    These too from the linksys box:
    Sep 23 14:53:18 2005 linksys Sep 23 14:53:18 pluto[33]: "ips0" #79: peer requested 86400 seconds which exceeds our limit 28800 seconds. Attribute OAKLEY_LIFE_DURATION (variable length)
     
  17. DocLarge

    DocLarge Super Moderator Staff Member Member

    Try making all of your timeouts 3600 instead of 28800 (linksys default). Make both tunnels 3DES/SHA1.

    Is the checkpoint router capable of establishing a gateway-to-gateway connection, or is is similar to the WAG54G (only allows IPSEC connections)?

    Jay
     
  18. Jay5

    Jay5 Network Guru Member

    All times are exact and both sides and the tunnel does work from Linksys to checkpoint in Site-to-Site VPN configuration.

    The error below:
    Sep 23 14:53:18 2005 linksys Sep 23 14:53:18 pluto[33]: "ips0" #79: peer requested 86400 seconds which exceeds our limit 28800 seconds. Attribute OAKLEY_LIFE_DURATION (variable length)

    The only thing is I do not understand where in checkpoint the 86400 seconds is comming from. There is no setting I have found so far on the checkpoint side that uses a 86400 limit.
     
  19. Scallica

    Scallica Network Guru Member

    How did you enable VPN logging on the Linksys router? In the Log section, I enabled logging and selected all the boxes. I forwarded the logs to a Linux server. I did not see any VPN logs.
     
  20. Jay5

    Jay5 Network Guru Member

    I am guessing that Linksys broke this functionality in the latest version of the firmware, but these logs are from before I upgraded the firmware to 2.7 (I think) from 2.6 (I think).

    But if your box can do this logging you enter the ip address of a syslog server and I also checked off all the boxes below event thoght I think they were for email alerts.

    Oh and set the level of logging to information.
     
  21. Jay5

    Jay5 Network Guru Member

    Oh and to clarify, my logging no longer works with what ever is the most public version of the firmware.
     
  22. Scallica

    Scallica Network Guru Member

    An Email From Linksys

    I received this email from the Department of the Obvious (Linksys Support):

    "Addressing your concern about the WRV54G failing to establish VPN connection with a Check Point Firewall in phase 2, IKE. I then agree that it could possibly be the firmware of the WRV54G, based on the fact that you were able to establish VPN tunnel between a BEFVP41 and the Check Point Firewall. Now, let me forward this concern to one of our team leads so that we will be able to take the necessary action on the problem. As soon as we have another beta firmware ready, rest assured that we will contact you as soon as possible."
     
  23. Jay5

    Jay5 Network Guru Member

    Hum, I wonder when that will be, I still have checkpoint trying on thier side to find a way to make nice with the Linksys box. I think it has to do with that odd 87600 time limit.
     
  24. Scallica

    Scallica Network Guru Member

    I received another email from Linksys this morning. How should I reply to this?

    I have discussed the problem that you are experiencing with the WRV54G and the Check Point Firewall with one of our Team Lead. They said though the Check Point Firewall is working with a BEFVP41 Router, the fact that you are already using the Beta Firmware for the WRV54G, it could also be a problem at the side of the Check Point Firewall. It may have worked with the BEFVP41 using the same exact VPN settings but they do have different firmware that the Check Point Firewall could be accepting. Also consider the fact that you can also do some updates on the Check Point Firewall. Hope this helps.
     
  25. DocLarge

    DocLarge Super Moderator Staff Member Member

    They danced around the issue. Notice all you see is "it may," "it could," "could be," and all that other shit. Bottom line is they don't know. Couple this with the "improper" usage of English grammar
    you'll never figure out what the Hizzell they're saying much less what it means!

    I think what the kid was trying to say is the problem is with checkpoint firewall because you're using the wrv54g beta software while the firmware for the befvp41 is "final release" therefore (supposedly) bug free.

    Doc
     
  26. Jay5

    Jay5 Network Guru Member

    Checkpoint called me today and I have a new sr. tech who is "really" intrested in this working. So hopefully I will have something to post back in a day or two.
     
  27. Scallica

    Scallica Network Guru Member

    Jay....thanks for the update. I received another inane email from Linksys:

    We are considering the fact that a new firmware may help on making the WRV54G connects with a Check Point Firewall, but it will take time and we don't know when a new Firmware or Beta Firmware will be available download. For the meantime try updating the Check Point Firewall.
     
  28. Jay5

    Jay5 Network Guru Member

    Back on the Case

    ok over this new years weekend I upgrade my checkpoint firewalls to HFA (Hotfix) 17.

    Checkpoint told me they would not work with me on the problem till I upgraded to HFA 17.

    They think it has something to do with the Key times.

    For example checkpoint does some in seconds were linksys might do them in min's.

    Since the people at linksys felt that not puting a description of "seconds" or "min's" we will never now.

    Anyways HFA 17 makes no change in my case.

    I am about to call Checkpoint and Linksys again.

    Also if anyone got anywhere with this please post back or PM me.

    Also if anyone has a good beta version of that firmware I would like to try it out since the people at linksys dont know what end is up. One tech rep tried to tell me that they dont have VPN devices.

    Cheers!
     
  29. Scallica

    Scallica Network Guru Member

    I tried to setup a VPN tunnel between my Check Point firewall and a Linksys RV082 VPN Router. I am having the same problem.

    I noticed an error message on the Linksys router:

    We require peer to have ID 'firewall_external_ip', but peer declares 'firewall_internal_ip'.

    I contacted Check Point. The firewall's object in the rule table has its internal IP address in the IP address field. They suggested putting the external IP address into the field. They are positive that this is the cause of the issue.

    I will try this tonight and see if this works.

    Update: This solution worked! I am able to build a VPN tunnel to a RV082 and a WRV54G!!
     
  30. lxiao168

    lxiao168 Guest

    I got the same problem when created site-site vpn between linsys rv420 and checkpoint ngx60.

    Is there any solution now?
     

Share This Page