With CHKP and VPN, your Traffic Selectors will be narrowed down to longer CIDR if the peer sends a longer CIDR length
The following ;
If the peer sends a 10.88.204.0/27 or 10.88.204.73/32 the Checkpoint will negotiate and install an IPsec Security Association for the more specific destination
Fortigate does the same thing btw but it will display the following "Dynamic proxyid as a result of selector narrowing"
The checkpoint appliance just does not make it so obvious that narrowing has taken place.
This process typically does not issues unless traffic exiting is using the wrong SPI. You will see issues in a lot of firewall Forcepoint and checkpoint primarily where the traffic is exiting using the wrong SPI. You can easily find the SPI used by using a packet size of 666 as an example and capture the ESP datagram on exit and review the SPI #
tcpdump -nnvv -i wan proto 50 and less 790 and greater 666
And on a host generate a ping of 666 bytes { ping -s 666 x.x.x. }
The ESP datagram will stick out and you can verify the SPI value in hex to the IPsec SA.
No comments:
Post a Comment