Not able to establish VTI Tunnel with CheckPoint

vti
checkpoint

#1

Hi Guys,

I am trying to setup VTI tunnel with CheckPoint and below is the diagram enclosed. I feel something is wrong on Vyos as I see tunnel is completely up from CP end even packets are getting encrypted and being forwarded through VTI interface but somehow I am not able to ping 192.168.60.128 or remote ID.

Here is my vyos configuration pertaining to VPN

set vpn ipsec esp-group cpesp lifetime ‘3600’
set vpn ipsec esp-group cpesp mode ‘tunnel’
set vpn ipsec esp-group cpesp pfs ‘disable’
set vpn ipsec esp-group cpesp proposal 1 encryption ‘aes256’
set vpn ipsec esp-group cpesp proposal 1 hash ‘sha1’
set vpn ipsec ike-group cpike key-exchange ‘ikev1’
set vpn ipsec ike-group cpike lifetime ‘86400’
set vpn ipsec ike-group cpike proposal 1 dh-group ‘2’
set vpn ipsec ike-group cpike proposal 1 encryption ‘aes256’
set vpn ipsec ike-group cpike proposal 1 hash ‘sha1’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec logging log-modes ‘all’
set vpn ipsec site-to-site peer 172.16.3.30 authentication id ‘172.16.4.30’
set vpn ipsec site-to-site peer 172.16.3.30 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 172.16.3.30 authentication pre-shared-secret ‘1234567890’
set vpn ipsec site-to-site peer 172.16.3.30 authentication remote-id ‘172.16.3.30’
set vpn ipsec site-to-site peer 172.16.3.30 default-esp-group ‘cpesp’
set vpn ipsec site-to-site peer 172.16.3.30 ike-group ‘cpike’
set vpn ipsec site-to-site peer 172.16.3.30 local-address ‘172.16.4.30’
set vpn ipsec site-to-site peer 172.16.3.30 vti bind ‘vti20’
set vpn ipsec site-to-site peer 172.16.3.30 vti esp-group ‘cpesp’

set interfaces vti vti20 address ‘169.255.255.1/32’
set protocols static route 10.100.70.0/24 next-hop ‘169.255.255.2’

Here is the show output from vyos

vyos@VPNGW:~$ show vpn ike sa
Peer ID / IP Local ID / IP


172.16.3.30 172.16.4.30

State  Encrypt  Hash    D-H Grp  NAT-T  A-Time  L-Time
-----  -------  ----    -------  -----  ------  ------
up     aes256   sha1    2        no     2452    86400

vyos@VPNGW:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP


172.16.3.30 172.16.4.30

Tunnel  State  Bytes Out/In   Encrypt  Hash    NAT-T  A-Time  L-Time  Proto
------  -----  -------------  -------  ----    -----  ------  ------  -----
vti     up     0.0/75.2K      aes256   sha1    no     2220    3600    all

Here is the debug output
000 “peer-172.16.3.30-tunnel-vti”: 0.0.0.0/0===172.16.4.30[172.16.4.30]…172.16.3.30[172.16.3.30]===0.0.0.0/0; erouted; eroute owner: #2
000 “peer-172.16.3.30-tunnel-vti”: ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 “peer-172.16.3.30-tunnel-vti”: policy: PSK+ENCRYPT+TUNNEL+UP; prio: 0,0; interface: eth0;
000 “peer-172.16.3.30-tunnel-vti”: newest ISAKMP SA: #1; newest IPsec SA: #2;
000 “peer-172.16.3.30-tunnel-vti”: IKE proposal: AES_CBC_256/HMAC_SHA1/MODP_1024
000 “peer-172.16.3.30-tunnel-vti”: ESP proposal: AES_CBC_256/HMAC_SHA1/<N/A>
000 #2: “peer-172.16.3.30-tunnel-vti” STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1306s; newest IPSEC; eroute owner
000 #2: “peer-172.16.3.30-tunnel-vti” esp.62cd2ce8@172.16.3.30 (0 bytes) esp.cd551f05@172.16.4.30 (83244 bytes, 1s ago); tunnel
000 #1: “peer-172.16.3.30-tunnel-vti” STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 83865s; newest ISAKMP

#####################################

Sun Jul 31 17:57:02 UTC 2016

  • _________________________ version
  • ipsec --version
    Linux strongSwan U4.5.2/K3.13.11-1-586-vyos
    Institute for Internet Technologies and Applications
    University of Applied Sciences Rapperswil, Switzerland
    See ‘ipsec --copyright’ for copyright information.
  • _________________________ /proc/net/pfkey
  • test -r /proc/net/pfkey
  • cat /proc/net/pfkey
    sk RefCnt Rmem Wmem User Inode
  • _________________________ ip-xfrm-state
  • ip -s xfrm state
    src 172.16.4.30 dst 172.16.3.30
    proto esp spi 0x62cd2ce8(1657613544) reqid 16384(0x00004000) mode tunnel
    replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
    mark 9437185/0xffffffff
    auth-trunc hmac(sha1) 0xf9323bf7bdace3ef8145306718211df1aa199d86 (160 bits) 96
    enc cbc(aes) 0x05277315cfd27c17f3637d2743678d0ace3a435a0ae9ff3c2bfdf56c38461470 (256 bits)
    lifetime config:
    limit: soft (INF)(bytes), hard (INF)(bytes)
    limit: soft (INF)(packets), hard (INF)(packets)
    expire add: soft 0(sec), hard 0(sec)
    expire use: soft 0(sec), hard 0(sec)
    lifetime current:
    0(bytes), 0(packets)
    add 2016-07-31 17:30:53 use -
    stats:
    replay-window 0 replay 0 failed 0
    src 172.16.3.30 dst 172.16.4.30
    proto esp spi 0xcd551f05(3444907781) reqid 16384(0x00004000) mode tunnel
    replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
    auth-trunc hmac(sha1) 0xd06e3fceb202366fa7a83ee5f2af7410f560328d (160 bits) 96
    enc cbc(aes) 0x5ad58504a8a5173fbeef5b3e0cf07d1544490f1121209f23268a9eae9ab1d270 (256 bits)
    lifetime config:
    limit: soft (INF)(bytes), hard (INF)(bytes)
    limit: soft (INF)(packets), hard (INF)(packets)
    expire add: soft 0(sec), hard 0(sec)
    expire use: soft 0(sec), hard 0(sec)
    lifetime current:
    85512(bytes), 1018(packets)

#conn peer-172.16.3.30-tunnel-vti

#< /etc/dmvpn.conf 1

generated by /opt/vyatta/sbin/dmvpn-config.pl

#> /etc/ipsec.conf 56

  • _________________________ ipsec/secrets
  • /usr/lib/ipsec/_secretcensor
  • /usr/lib/ipsec/_include /etc/ipsec.secrets

#< /etc/ipsec.secrets 1

generated by /opt/vyatta/sbin/vpn-config.pl

172.16.4.30 172.16.3.30 172.16.4.30 172.16.3.30 : PSK “[sums to 7c12…]”

#< /etc/dmvpn.secrets 1

generated by /opt/vyatta/sbin/dmvpn-config.pl

#> /etc/ipsec.secrets 6

  • _________________________ ipsec/listall
  • ipsec listall
    000
    000 List of registered IKEv1 Algorithms:
    000
    000 encryption: BLOWFISH_CBC[openssl] 3DES_CBC[des] AES_CBC[aes] CAMELLIA_CBC[openssl]
    000 integrity: HMAC_MD5[md5] HMAC_SHA1[sha1] HMAC_SHA2_256[sha2] HMAC_SHA2_384[sha2] HMAC_SHA2_512[sha2]
    000 dh-group: MODP_1024[openssl] MODP_1536[openssl] MODP_2048[openssl] MODP_3072[openssl] MODP_4096[openssl]
    000 MODP_6144[openssl] MODP_8192[openssl] ECP_256[openssl] ECP_384[openssl] ECP_521[openssl]
    000 MODP_1024_160[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] ECP_192[openssl] ECP_224[openssl]
    000 random-gen: RNG_STRONG[random] RNG_TRUE[random]
    000
    000 List of registered ESP Algorithms:
    000
    000 encryption: DES_CBC 3DES_CBC CAST_CBC BLOWFISH_CBC NULL AES_CBC AES_CTR AES_CCM_8 AES_CCM_12 AES_CCM_16 AES_GCM_8
    000 AES_GCM_12 AES_GCM_16 CAMELLIA_CBC AES_GMAC SERPENT_CBC TWOFISH_CBC
    000 integrity: HMAC_MD5 HMAC_SHA1 HMAC_SHA2_256 HMAC_SHA2_384 HMAC_SHA2_512 HMAC_RIPEMD AES_XCBC_96 NULL HMAC_SHA2_256_96

List of registered IKEv2 Algorithms:

encryption: AES_CBC[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des] CAMELLIA_CBC[openssl] RC5_CBC[openssl]
IDEA_CBC[openssl] CAST_CBC[openssl] BLOWFISH_CBC[openssl] NULL[openssl] AES_CTR[ctr]
integrity: AES_XCBC_96[xcbc] HMAC_SHA1_96[hmac] HMAC_SHA1_128[hmac] HMAC_SHA1_160[hmac] HMAC_SHA2_256_128[hmac]
HMAC_SHA2_256_256[hmac] HMAC_MD5_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA2_384_192[hmac]
HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_256[hmac]
aead: AES_CCM_8[ccm] AES_CCM_12[ccm] AES_CCM_16[ccm] AES_GCM_8[gcm] AES_GCM_12[gcm] AES_GCM_16[gcm]
hasher: HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] HASH_MD5[md5]
HASH_MD2[openssl] HASH_MD4[openssl]
prf: PRF_KEYED_SHA1[sha1] PRF_FIPS_SHA1_160[fips-prf] PRF_AES128_XCBC[xcbc] PRF_HMAC_SHA1[hmac]
PRF_HMAC_SHA2_256[hmac] PRF_HMAC_MD5[hmac] PRF_HMAC_SHA2_384[hmac] PRF_HMAC_SHA2_512[hmac]
dh-group: MODP_2048[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] MODP_1536[openssl] ECP_256[openssl]
ECP_384[openssl] ECP_521[openssl] ECP_224[openssl] ECP_192[openssl] MODP_3072[openssl] MODP_4096[openssl]
MODP_6144[openssl] MODP_8192[openssl] MODP_1024[openssl] MODP_1024_160[openssl] MODP_768[openssl]
MODP_CUSTOM[openssl]
random-gen: RNG_STRONG[random] RNG_TRUE[random]

  • ‘[’ ‘]’
  • _________________________ /proc/net/ipsec_version
  • test -r /proc/net/ipsec_version
  • test -r /proc/net/pfkey
    ++ uname -r
  • echo 'NETKEY (3.13.11-1-586-vyos) support detected ’
    NETKEY (3.13.11-1-586-vyos) support detected
  • _________________________ /proc/net/ipsec-ls
  • test -f /proc/net/ipsec_version
  • _________________________ plutolog
  • case “$1” in
  • cat
  • egrep -i pluto
  • sed -n ‘1492,$p’ /var/log/messages
    Jul 31 17:30:53 VPNGW pluto[6794]: Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID CISCO_QUIRKS
    Jul 31 17:30:53 VPNGW pluto[6794]: including NAT-Traversal patch (Version 0.6c) [disabled]
    Jul 31 17:30:53 VPNGW pluto[6794]: failed to load pkcs11 module ‘/usr/lib/opensc-pkcs11.so’
    Jul 31 17:30:53 VPNGW ipsec_starter[6709]: pluto (6794) started after 20 ms
    Jul 31 17:30:53 VPNGW pluto[6794]: Changing to directory ‘/etc/ipsec.d/crls’
    Jul 31 17:30:53 VPNGW pluto[6794]: listening for IKE messages
    Jul 31 17:30:53 VPNGW pluto[6794]: adding interface eth1/eth1 192.168.60.60:500
    Jul 31 17:30:53 VPNGW pluto[6794]: adding interface eth0/eth0 172.16.4.30:500
    Jul 31 17:30:53 VPNGW pluto[6794]: adding interface lo/lo 127.0.0.1:500
    Jul 31 17:30:53 VPNGW pluto[6794]: adding interface lo/lo ::1:500
    Jul 31 17:30:53 VPNGW pluto[6794]: loading secrets from “/etc/ipsec.secrets”
    Jul 31 17:30:53 VPNGW pluto[6794]: loaded PSK secret for 172.16.4.30 172.16.3.30 172.16.4.30 172.16.3.30
    Jul 31 17:30:53 VPNGW pluto[6794]: loading secrets from “/etc/dmvpn.secrets”
    Jul 31 17:30:53 VPNGW pluto[6794]: added connection description “peer-172.16.3.30-tunnel-vti”
    Jul 31 17:30:53 VPNGW pluto[6794]: “peer-172.16.3.30-tunnel-vti” #1: initiating Main Mode
    Jul 31 17:30:53 VPNGW pluto[6794]: “peer-172.16.3.30-tunnel-vti” #1: ignoring Vendor ID payload [FRAGMENTATION]
    Jul 31 17:30:53 VPNGW pluto[6794]: “peer-172.16.3.30-tunnel-vti” #1: Peer ID is ID_IPV4_ADDR: ‘172.16.3.30’
    Jul 31 17:30:53 VPNGW pluto[6794]: “peer-172.16.3.30-tunnel-vti” #1: ISAKMP SA established
    Jul 31 17:30:53 VPNGW pluto[6794]: “peer-172.16.3.30-tunnel-vti” #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
    Jul 31 17:30:53 VPNGW pluto[6794]: “peer-172.16.3.30-tunnel-vti” #2: sent QI2, IPsec SA established {ESP=>0x62cd2ce8 <0xcd551f05}
  • _________________________ charonlog
  • case “$1” in
  • cat
  • egrep -i charon
  • sed -n ‘1,$p’ /dev/null
  • _________________________ date
  • date
    Sun Jul 31 17:57:02 UTC 2016
    vyos@VPNGW:~$

What possibly could have gone wrong?

I am not able to ping 192.168.60.128 from 10.100.70.100


#2

set interfaces vti vti20 address ‘169.255.255.1/32’
set protocols static route 10.100.70.0/24 next-hop ‘169.255.255.2’

I wonder if VyOS has a clue where to find 169.255.255.2. Since you used /32 mask on VTI.
I’m using /30 mask (running OSPF on it) , you might also get away using interface route instead of your next-hop route.


#3

Yep that was the issue :slight_smile:

I changed it to /30 and it worked fine. Thanks dude …


#4

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.