topic Re: How to configure S2S VPN Responder Only? in Firewall and Security Management

How to configure S2S VPN Responder Only?

StackCap43382 — Fri, 08 Jan 2021 16:12:17 GMT

Hi All,

Have a bit of a strange issue I'm hoping someone has an answer for.

Basically we have a situation where there is a 3rd party NAT device breaking VPN connectivity to a peer.

If the peer initiates the tunnel then the VPN comes up

If our side attempts it then it all goes wrong.

There is 0% chance of any config changes to the remote peer side so we are stuck with this.

There are also other VPNS terminating on our Check Points.

A fudge-fix is to stop our side attempting to bring up the tunnel and respond only but I cant find any articles how to do this on a Check Point.

Can anyone point me to a relevant article?

Is Responder Mode supported on a Check Point?

Is if it is it global or can it be peer-limited?

Cheers

Re: How to configure S2S VPN Responder Only?

Jose_Manuel_Gar — Fri, 08 Jan 2021 17:43:23 GMT

Hello,

There is an sk that works with DAIP SMB devices. It's SK101911. Not sure if it works with 3rd party peers but you can try.

Best regards

Re: How to configure S2S VPN Responder Only?

PhoneBoy — Sat, 09 Jan 2021 01:30:19 GMT

IKE Initiation Prevention - By default, when a valid IKE SA is not available, a DPD request message triggers a new IKE negotiation. To prevent this behavior, set the property dpd_allowed_to_init_ike to false.
Edit the property in GuiDBedit Tool (see sk13009) > Network Objects > network_objects > <gateway Name> > VPN.

Re: How to configure S2S VPN Responder Only?

StackCap43382 — Tue, 12 Jan 2021 11:15:39 GMT

Hi All,

DAIP object is the answer:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk36968

By configuring the 3rd party as a DIAP we force the Check Point to responder mode only.

Re: How to configure S2S VPN Responder Only?

Juan_ — Wed, 03 Feb 2021 12:55:33 GMT

Hi Dameon,

Regarding S2S Responder Only. Would it be an option to increase P1 lifetime just on ckp side?

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk116615&partition=Advanced&product=IPSec

According to this sk at least.

All my engineer life i've tried to match both values on both ends but it seems now to be a value only valid locally?

Or maybe is it just for IkeV2 implementations?

Azure also states:

https://docs.microsoft.com/en-us/azure/vpn-gateway/ipsec-ike-policy-howto

"The SA lifetimes are local specifications only, do not need to match."

Re: How to configure S2S VPN Responder Only?

PhoneBoy — Thu, 04 Feb 2021 05:39:32 GMT

I would say: try it and report back.
Yes, historically we've suggested that VPN parameters should match, and in some cases they need to.

Re: How to configure S2S VPN Responder Only?

raj_p — Tue, 14 May 2024 07:24:36 GMT

Hi,

We are also facing the same issue with our VPN.

Is the property change "dpd_allowed_to_init_ike to false." specific to a peer or is it global?

Re: How to configure S2S VPN Responder Only?

PhoneBoy — Tue, 14 May 2024 21:47:43 GMT

It is specific to the peer on which it is configured in GUIdbedit.