It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

IPSEC Site to Site Tunnels with Checkpoint and multiple subnets

  • Type: Knowledgebase
  • Date changed: one year ago
Solution #00005122 
This solution replies to:
- NG Firewall firmware versions 4.2.x,5.0.x, 5.2.x
- netfence firmware versions 4.2.x


You have set up an IPSEC Tunnel between Barracuda NG Firewall and Checkpoint NG/NGX. You are running multiple nets behind the firewalls. Data flow traversing the tunnels is always disrupted on session rekey between the firewalls. 




The problem arises when supernetting is configured on the Checkpoint firewall.

If two or more similar networks are included into the VPN tunnel configuration, they are treated differently Barracuda NG Firewall and by Checkpoint. netfence makes a clear differentiation between specified subnets. If supernetting is configured, the Checkpoint firewall merges multiple subnets to one supernet. It thus delivers an unknown subnet value to its Barracuda NG Firewall tunnel partner.



Deactivate supernetting on the Checkpoint firewall. Proceed as follows to do so:


1. Log in to the shell on the checkpoint and enter Expert mode with the command expert.


2. Type the following commands at the command line interface:

  modify properties firewall_properties ike_use_largest_possible_subnets false
  update properties firewall_properties


3. Open the file $FWDIR/lib/user.def with any text editor (e.g. vi).

    vi $FWDIR/lib/user.def


    The user.def file should look alike the following:
  #ifndef __user_def__
  #define __user_def__

  // User defined INSPECT code 

  max_subnet_for_range = {
  <first_IP_in_range, last_IP_in_the_range; subnet_mask>,
  <first_IP_in_range, last_IP_in_the_range; subnet_mask>,
  <first_IP_in_range, last_IP_in_the_range; subnet_mask>

  #endif /* __user_def__ */


    Insert specific values for every required first_IP_in_range, last_IP_in_the_range and subnet_mask value. 
    Enter ALL nets participating in the IPSECcommunication. The adapted lines should look as follows:

  max_subnet_for_range = {

4. Save the user.def file.


5. At the command line interface type:

  fw ctl install


6. Should the same error occur again execute the following commands at the command line interface.




Link to This Page: