- NG Firewall firmware versions 4.2.x,5.0.x, 5.2.x
- netfence firmware versions 4.2.x
You have set up an IPSEC Tunnel between Barracuda NG Firewall and Checkpoint NG/NGX. You are running multiple nets behind the firewalls. Data flow traversing the tunnels is always disrupted on session rekey between the firewalls.
The problem arises when supernetting is configured on the Checkpoint firewall.
If two or more similar networks are included into the VPN tunnel configuration, they are treated differently Barracuda NG Firewall and by Checkpoint. netfence makes a clear differentiation between specified subnets. If supernetting is configured, the Checkpoint firewall merges multiple subnets to one supernet. It thus delivers an unknown subnet value to its Barracuda NG Firewall tunnel partner.
Deactivate supernetting on the Checkpoint firewall. Proceed as follows to do so:
1. Log in to the shell on the checkpoint and enter Expert mode with the command expert.
2. Type the following commands at the command line interface:
dbedit
modify properties firewall_properties ike_use_largest_possible_subnets false
update properties firewall_properties
quit
3. Open the file $FWDIR/lib/user.def with any text editor (e.g. vi).
vi $FWDIR/lib/user.def
The user.def file should look alike the following:
#ifndef __user_def__
#define __user_def__
//
// User defined INSPECT code
//
max_subnet_for_range = {
<first_IP_in_range, last_IP_in_the_range; subnet_mask>,
<first_IP_in_range, last_IP_in_the_range; subnet_mask>,
...
<first_IP_in_range, last_IP_in_the_range; subnet_mask>
};
#endif /* __user_def__ */
Insert specific values for every required first_IP_in_range, last_IP_in_the_range and subnet_mask value.
Enter ALL nets participating in the IPSECcommunication. The adapted lines should look as follows:
max_subnet_for_range = {
<192.168.1.0, 192.168.1.255; 255.255.255.0>,
<192.168.2.0, 192.168.2.255; 255.255.255.0>,
<192.168.50.0, 192.168.255.255; 255.255.0.0>
};
4. Save the user.def file.
5. At the command line interface type:
fw ctl install
6. Should the same error occur again execute the following commands at the command line interface.
cpstop
cpstart