topic Checkpoint VPN as responder only in Firewall and Security Management

Checkpoint VPN as responder only

Udupi_krishna — Fri, 04 Oct 2019 08:46:56 GMT

Hello All,

I am in the midst of troubleshooting a VPN between Checkpoint (R80.10) and Paloalto firewall. This site to site tunnel is configured to use certificate for authentication.

During the course of our troubleshooting there was a unknown bug identified in Palo alto firewall due to which it has to initiator of the tunnel till the time a fix is available. Issue pops up whenever Checkpoint becomes the initiator instead and Palo alto firewall stops responding.

Now coming to the requirement, is there a way I can force Checkpoint to always be just the responder in a VPN tunnel? I am not talking about DPD responder, but at the level of negotiation. Basically at any point of time, I do not want Checkpoint initiate a request to bring up the VPN either due to inactivity or idle timeout.

Re: Checkpoint VPN as responder only

Udupi_krishna — Fri, 04 Oct 2019 08:48:44 GMT

Apologies I did not realize that I was under Threat prevention forum. I did not find a way to move it to the right section either

Re: Checkpoint VPN as responder only

FedericoMeiners — Fri, 04 Oct 2019 13:35:41 GMT

Hello,

As long as you don't initiate traffic from your side and the permanent tunnel option is not set the VPN tunnel shouldn't come up by it's own. By defect if there is no activity the tunnel will shut down.

Re: Checkpoint VPN as responder only

PhoneBoy — Sat, 05 Oct 2019 04:45:42 GMT

Don't worry, I can fix moving it to the right place. 😁

As for the question you asked, unless you've got a permanent tunnel configured, what determines whether or not the VPN connection is initiated is the initiation of traffic.
If you want to ensure the Palo side is initiating the VPN, something on that side of the connection should be generating regular traffic (e.g. ping) through the VPN.

Re: Checkpoint VPN as responder only

Udupi_krishna — Sat, 05 Oct 2019 16:43:22 GMT

Thanks for the fix :).

Ping was definitely an option suggested to client. Problem is there are chances that servers behind Checkpoint can attempt to initiate traffic as part of an application automation.

The only goal i was trying to look for is if Checkpoint would never attempt to become an initiator regardless of where the traffic comes from. For e.g. Palo Alto within VPN configuration has an option called passive mode, which basically forces it not to become the initiator during a negotiation phase.