https://community.checkpoint.com/t5/Firewall-and-Security-Management/R77-30-Ipsec-VPN-traffic-hitting-Clean-up-rule-instead-of-accept/m-p/69263#M11983 <P>Hello Mates,</P><P>&nbsp;</P><P>I am facing this issue with IPSec VPN configured with client end Fortigate firewall. The issue is the phase1 comes up only when I initiate (ping) some traffic to the peer end IP. Even when the user connected to Checkpoint initiating the flow the gateway is not negotiating for either phase1 and/or phase2.&nbsp;</P><P>&nbsp;</P><P>When client forcefully bring phase2 up (in fortigate under vpn monitor section) the phase2 also came up. But even after that the client traffic is getting dropped because of clean up rule even though an existing rule is there for this flow above clean up rule. It seems that rule is invisible for the gateway.</P><P>Also, after sometime the tunnel went down.&nbsp;</P><P>So to sum up:</P><P>1) Gateways not initiating Ipsec negotiation. Only after explicitly initiating the negotiation tunnel comes up.</P><P>2) Even when the tunnel is up, the traffic is getting drop by final clean up rule instead of allow rule which is above clean up rule.</P><P>Please help on this issue. Thanks.</P> Fri, 06 Dec 2019 12:13:17 GMT ashish_verma 2019-12-06T12:13:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R77-30-Ipsec-VPN-traffic-hitting-Clean-up-rule-instead-of-accept/m-p/69263#M11983 <P>Hello Mates,</P><P>&nbsp;</P><P>I am facing this issue with IPSec VPN configured with client end Fortigate firewall. The issue is the phase1 comes up only when I initiate (ping) some traffic to the peer end IP. Even when the user connected to Checkpoint initiating the flow the gateway is not negotiating for either phase1 and/or phase2.&nbsp;</P><P>&nbsp;</P><P>When client forcefully bring phase2 up (in fortigate under vpn monitor section) the phase2 also came up. But even after that the client traffic is getting dropped because of clean up rule even though an existing rule is there for this flow above clean up rule. It seems that rule is invisible for the gateway.</P><P>Also, after sometime the tunnel went down.&nbsp;</P><P>So to sum up:</P><P>1) Gateways not initiating Ipsec negotiation. Only after explicitly initiating the negotiation tunnel comes up.</P><P>2) Even when the tunnel is up, the traffic is getting drop by final clean up rule instead of allow rule which is above clean up rule.</P><P>Please help on this issue. Thanks.</P> Fri, 06 Dec 2019 12:13:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R77-30-Ipsec-VPN-traffic-hitting-Clean-up-rule-instead-of-accept/m-p/69263#M11983 ashish_verma 2019-12-06T12:13:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R77-30-Ipsec-VPN-traffic-hitting-Clean-up-rule-instead-of-accept/m-p/69280#M11984 <P>Basic troubleshooting guide for such issues is&nbsp;<A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108600&amp;partition=Advanced&amp;product=IPSec" target="_blank">sk108600: <STRONG>VPN</STRONG> Site-to-Site with <STRONG>3rd</STRONG> <STRONG>party</STRONG></A></P> <BLOCKQUOTE><HR /></BLOCKQUOTE> Wed, 04 Dec 2019 10:10:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R77-30-Ipsec-VPN-traffic-hitting-Clean-up-rule-instead-of-accept/m-p/69280#M11984 G_W_Albrecht 2019-12-04T10:10:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R77-30-Ipsec-VPN-traffic-hitting-Clean-up-rule-instead-of-accept/m-p/69288#M11985 <P>Hi Ashish,</P> <P>You can do basic troubleshooting for VPN and at last you can run debug and check ike.elg file.</P> <P>Are you generating ICMP traffic while testing tunnel? If so then please check setting "Accept ICMP Request" in general setting. It should be "before last".</P> <P>&nbsp;</P> Wed, 04 Dec 2019 11:25:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R77-30-Ipsec-VPN-traffic-hitting-Clean-up-rule-instead-of-accept/m-p/69288#M11985 Gaurav_Pandya 2019-12-04T11:25:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/R77-30-Ipsec-VPN-traffic-hitting-Clean-up-rule-instead-of-accept/m-p/69302#M11986 <P>Hello Gaurav and G_W_Albrecht</P><P>&nbsp;</P><P>Thanks for your reply. I will check the SK but what I found in ike.elg file is that after Phase2 message1, the cookies value are changed (Both init and responder) in message received by the responder as shown in "info" field in ike.elg file.</P> Wed, 04 Dec 2019 12:27:57 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/R77-30-Ipsec-VPN-traffic-hitting-Clean-up-rule-instead-of-accept/m-p/69302#M11986 ashish_verma 2019-12-04T12:27:57Z