Community discussions

MikroTik App
 
User avatar
GreatBeaver
just joined
Topic Author
Posts: 8
Joined: Mon May 16, 2022 3:28 pm

Checkpoint L2TP\IPsec VPN server IKE phase 2 PFS issue

Mon May 16, 2022 4:36 pm

Hello there.

I encountered the following issue. Our office host a VPN server (L2TP\IPsec) on the Checkpoint firewall, don't know the exact model. Windows, iOS, and Android devices connect to it perfectly well. But I can't make hAP ac2 (RouterOS 7.2.3) establish a connection to it, though I have another L2tp\IPsec server that I had no issue with.

Log show the following message:
"notification message 17:INVALID-KEY-INFORMATION, doi=1 proto_id=3 spi=08511a9b‡j.¾í{÷Xä¦8X"

The network administrator provided me with the Checkpoint error for my connection:
"IKE failure: Quick Mode New DH Key received during Quick Mode from a peer, but Perfect Forward Secrecy is not set in the community."

Google brought me to several pages including the Checkpoint site that claims that problem in PFS (Perfect Forward Security) during phase 2 of IKE with a recommendation to turn on PFS on the Checkpoint side. I think this is not an option as it is not recommended by the Checkpoint manual, all other clients work well with the current configuration and such changes could harm them.

Another option is to disable PFS on the hAp side but this does not help. I changed the IPsec proposal PFS Group from default modp1024 to none and get another error:
"notification message 14:NO-PROPOSAL-CHOSEN, doi=1 proto_id=3 spi=0c6f7361D"

I also tried all other PFS Groups with no success.

Any ideas on how to make it work?

Thank you!

Links:
https://forums.clavister.com/viewtopic.php?t=3699
https://old.ispforum.cz/viewtopic.php?t=23821
https://sc1.checkpoint.com/documents/R8 ... nd-IKE.htm
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Checkpoint L2TP\IPsec VPN server IKE phase 2 PFS issue

Mon May 16, 2022 5:07 pm

Hello,
CLI export config
export hide-sensitive file=name
CLI logging
/system logging
add prefix=L2TP----> topics=l2tp,!packet
add prefix=IPSEC----> topics=ipsec,!packet
 
User avatar
GreatBeaver
just joined
Topic Author
Posts: 8
Joined: Mon May 16, 2022 3:28 pm

Re: Checkpoint L2TP\IPsec VPN server IKE phase 2 PFS issue

Mon May 16, 2022 5:45 pm

Here we are!

I also should mention that my ISP works thru L2TP\IPsec but it is not an issue for other L2TP\IPsec VPN servers.
Hello,
CLI export config
export hide-sensitive file=name
CLI logging
/system logging
add prefix=L2TP----> topics=l2tp,!packet
add prefix=IPSEC----> topics=ipsec,!packet
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Checkpoint L2TP\IPsec VPN server IKE phase 2 PFS issue

Mon May 16, 2022 9:06 pm

So they did agree on the DH, but I couldn't find anything useful other than these.
Your export is missing the IPsec P1, P2 section.
2022-05-16_22-16-22.png
LOG
-compare proposal #4: Local:Peer
(lifetime = 86400:86400)
(lifebyte = 0:0)
enctype = 3DES-CBC:3DES-CBC
(encklen = 0:0)
hashtype = SHA:SHA
authmethod = pre-shared key:pre-shared key
dh_group = 1024-bit MODP group:1024-bit MODP group
-an acceptable proposal found-
dh(modp1024)
-agreed on pre-shared key auth

------------------------------------------------------------------------------------
OFFICE_IP Hashing
NAT-D payload #1 verified
hash(sha1)
NAT-D payload #2 doesn't match
OFFICE_IP Hashing
hash(sha1)
NAT-D payload #3 doesn't match
both sides none.png
client set II server none.png
client set server none.png
PFS set both sides.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
GreatBeaver
just joined
Topic Author
Posts: 8
Joined: Mon May 16, 2022 3:28 pm

Re: Checkpoint L2TP\IPsec VPN server IKE phase 2 PFS issue

Tue May 17, 2022 10:45 am

You are right, config is lack of IPsec section. Probably because it is the default. Just in case I attached a screenshot of these settings.
Thank you for pointing out the payload mismatch in the log, I totally miss it out.
I'm not sure what it means but probably it has something with the fact that my hAP is located behind ISP NAT or maybe even more than one.

In this part of a log 10.215.36.157 is a private address in my ISP network and 40.7.112.69 - is the checkpoint server's white IP.
Probably the root of the problem is that the payload contains a hash of a private IP address instead of an external one.
Is there a way to make it use external IP?
As you can see on the screenshot NAT Traversal is enabled.
Maybe I should add some route to force this L2TP tunnel works thru the provider's L2TP?

Thank you!

10.215.36.157 Hashing 10.215.36.157[500] with algo #2
hash(sha1)
NAT-D payload #0 doesn't match
40.7.112.69 Hashing 40.7.112.69[500] with algo #2
hash(sha1)
NAT-D payload #1 verified
40.7.112.69 Hashing 40.7.112.69[500] with algo #2
hash(sha1)
NAT-D payload #2 doesn't match
40.7.112.69 Hashing 40.7.112.69[500] with algo #2

So they did agree on the DH, but I couldn't find anything useful other than these.
Your export is missing the IPsec P1, P2 section.
2022-05-16_22-16-22.png
LOG
-compare proposal #4: Local:Peer
(lifetime = 86400:86400)
(lifebyte = 0:0)
enctype = 3DES-CBC:3DES-CBC
(encklen = 0:0)
hashtype = SHA:SHA
authmethod = pre-shared key:pre-shared key
dh_group = 1024-bit MODP group:1024-bit MODP group
-an acceptable proposal found-
dh(modp1024)
-agreed on pre-shared key auth

------------------------------------------------------------------------------------
OFFICE_IP Hashing
NAT-D payload #1 verified
hash(sha1)
NAT-D payload #2 doesn't match
OFFICE_IP Hashing
hash(sha1)
NAT-D payload #3 doesn't match

both sides none.png
client set II server none.png
client set server none.png
PFS set both sides.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Checkpoint L2TP\IPsec VPN server IKE phase 2 PFS issue

Tue May 17, 2022 12:24 pm

You can capture the packets to be sure about it. I do have a client that is getting a private IP from the ISP PPPOE, a few days ago I set up an IKEv2 at the MT router with no issue regardless of the IKEv2 vs L2TP difference, peer never used a private IP to contact the server. maybe your NAT rules? I could not peace all of your configs together so it might be there.
 
User avatar
GreatBeaver
just joined
Topic Author
Posts: 8
Joined: Mon May 16, 2022 3:28 pm

Re: Checkpoint L2TP\IPsec VPN server IKE phase 2 PFS issue

Tue May 17, 2022 2:46 pm

I checked NAT rules but don't see what can be wrong. I made an export of the firewall config.

[minquote=own3r1138 post_id=933694 time=1652779477 user_id=182944]
You can capture the packets to be sure about it. I do have a client that is getting a private IP from the ISP PPPOE, a few days ago I set up an IKEv2 at the MT router with no issue regardless of the IKEv2 vs L2TP difference, peer never used a private IP to contact the server. maybe your NAT rules? I could not peace all of your configs together so it might be there.
[/quote]
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Checkpoint L2TP\IPsec VPN server IKE phase 2 PFS issue

Tue May 17, 2022 2:53 pm

@GreatBeaver
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related connection-mark=no-mark
NAT
/ip firewall nat
add action=masquerade chain=srcnat out-interface=l2tp-out
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
 
User avatar
GreatBeaver
just joined
Topic Author
Posts: 8
Joined: Mon May 16, 2022 3:28 pm

Re: Checkpoint L2TP\IPsec VPN server IKE phase 2 PFS issue

Tue May 17, 2022 6:37 pm

Unfortunately, I don't understand what you mean by that.
First of all, I enabled fast-track but it broke my internet connection so I disabled it back.
Then I tried all options for the IPsec policy for both WAN and L2TP-OUT interfaces, doesn't work.

Could you please add some explanations for what to change?

Also, I exported another log that includes packets.

Thank you!
@GreatBeaver
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related connection-mark=no-mark
NAT
/ip firewall nat
add action=masquerade chain=srcnat out-interface=l2tp-out
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Checkpoint L2TP\IPsec VPN server IKE phase 2 PFS issue

Tue May 17, 2022 7:06 pm

@GreatBeaver
fast-track
But you have two fast-track rules in your firewall one of them is disabled and the other one is enabled, when you mark your connection with mangle then you should exclude them with the "no-mark" in the connection mark of the fast-track or accept the marked connection before the fast-track firewall rule.
Could you please add some explanations for what to change?
Change the order to match the code so the VPN masquerade rule has a higher priority than WAN, the log is still the same as before.
 
User avatar
GreatBeaver
just joined
Topic Author
Posts: 8
Joined: Mon May 16, 2022 3:28 pm

Re: Checkpoint L2TP\IPsec VPN server IKE phase 2 PFS issue

Tue May 17, 2022 8:27 pm

There is some misunderstanding. I don't have 2 fast-track rules, just one.
I don't see it not in my last firewall export nor in GUI. So I have one disabled fast-track rule.
I tried to change the order of NAT rules, even delete and recreating them in the suggested order but it doesn't help either.

@GreatBeaver
fast-track
But you have two fast-track rules in your firewall one of them is disabled and the other one is enabled, when you mark your connection with mangle then you should exclude them with the "no-mark" in the connection mark of the fast-track or accept the marked connection before the fast-track firewall rule.
Could you please add some explanations for what to change?
Change the order to match the code so the VPN masquerade rule has a higher priority than WAN, the log is still the same as before.
You do not have the required permissions to view the files attached to this post.
 
User avatar
GreatBeaver
just joined
Topic Author
Posts: 8
Joined: Mon May 16, 2022 3:28 pm

Re: Checkpoint L2TP\IPsec VPN server IKE phase 2 PFS issue

Wed May 18, 2022 12:04 pm

I connected hAP to another L2TP server on AWS with success and compared logs.
Both logs have the "NAT-D payload doesn't match" error but one that works has just two rounds of hashing instead of 4 on not working connection.

Also, they detect NAT differently:
Working connection: ipsec IPSEC: NAT detected: ME PEER
Not working connection: ipsec IPSEC: NAT detected: ME

I was unable to find what differences between these two NAT modes.

Could you direct me where to look? And what is the difference between these modes?
You do not have the required permissions to view the files attached to this post.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 680
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Checkpoint L2TP\IPsec VPN server IKE phase 2 PFS issue

Wed May 18, 2022 12:49 pm

@GreatBeaver

Sorry, I can't think of anything. However, If you could test the VPN @ VM or make a backup do a rest config, and check the result as it is right now I could not produce the same result so I can't give you an answer perhaps more experienced members can give you better advice also, my log does not have any mismatch but yours do.
2022-05-18_14-04-31.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
GreatBeaver
just joined
Topic Author
Posts: 8
Joined: Mon May 16, 2022 3:28 pm

Re: Checkpoint L2TP\IPsec VPN server IKE phase 2 PFS issue

Wed May 18, 2022 1:23 pm

@own3r1138

It is a strange error, I'm almost sure that the problem is related to Mikrotik to Checkpoint connection as my colleague has a similar problem with his hAP ac3 and he has another ISP.
For now, I bypass this by using another office VPN hosted on a windows server that connects right away and works well,
If I will find a solution I will post it.

Thank you so much for your time and effort!

Who is online

Users browsing this forum: coreshock, Railander, sted and 67 guests