topic Re: IPSEC phase2 per subnet still creating per host in Firewall and Security Management

IPSEC phase2 per subnet still creating per host

jtorella-chsli — Sat, 23 Jan 2021 06:31:06 GMT

I have a GAIA R77.30 gateway. We recently upgraded our management station to R80.40. Since then we are noticing that tunnels that we have created for per subnet are having issues. When we examine the logs we noticed that the gateway is actually attempting to create a per host tunnel. We are noticing multiple SA's in phase 2 when we should only see one since all our clients are on the same /24 network. Does anyone have any suggestions.

Thank you for whatever help you can offer.

Re: IPSEC phase2 per subnet still creating per host

PhoneBoy — Sat, 23 Jan 2021 06:43:32 GMT

Could be this issue: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk39679&partition=Advanced&product=IPSec

Re: IPSEC phase2 per subnet still creating per host

jtorella-chsli — Sun, 24 Jan 2021 03:01:24 GMT

Hi Phoneboy,

Thank you but we are not using exclusions in our encryption domain for this community, We created a group with just the subnets that are needed in the encryption domain. We did try "One tunnel per gateway pair" with no luck. This problem seem to only start when we updated our management station to R80.40 and the gateways are still R77.30. Could there be an incompatibility between the management station and gateways? Also I know that the management station R80.40 supports "user defined" domain for each community but does the R77.30 gateways support it? When I pushed policy I didn't get any errors so i assumed it works.

Re: IPSEC phase2 per subnet still creating per host

PhoneBoy — Sun, 24 Jan 2021 03:12:57 GMT

R80.40 can manage R77.30 gateways.
However, R77.30 is End of Support.

As far as I know, the VPN Domain Per Community feature does not require gateways to also be on R80.40+.
However, at least for SMB appliances running R77.20.x, it doesn't appear to work: https://community.checkpoint.com/t5/General-Topics/R80-40-Question-about-encryption-domain-per-VPN-community/td-p/82738

You can open a TAC case here, but support will only be provided on best-effort basis.
Upgrading to a supported release is definitely recommended.

Re: IPSEC phase2 per subnet still creating per host

the_rock — Sun, 24 Jan 2021 04:08:23 GMT

Hi,

Could you share example of the log where this happens? Yes, there are some supernetting guidbedit things that changed in R80, compared to before in R77. There is also file on mgmt server called crypt.def for excluding certain IP ranges, but does not sound you even have that configured. Is it only one tunnel with this issue or multiple? If its one, you can simply reset it via vpn tu command on gateway, but if its multiple, sounds like it could be global issue. Happy to do remote session and see if I can help you fix it.

Andy

Re: IPSEC phase2 per subnet still creating per host

jtorella-chsli — Sun, 24 Jan 2021 18:09:40 GMT

Thanks. We did open a TAC case already and they cant explain it either. We have it set to per subnet but it is clearly doing per host. As a temporary fix we asked our partner to set their side (ASA) to per host and things are working. Our partner does want to leave the tunnel as per host permanently and would like us to resolve so they can set it back to per subnet. We will continue to push TAC to looking it further. Thanks for your help.

Re: IPSEC phase2 per subnet still creating per host

CheckPointerXL — Thu, 20 Jul 2023 13:55:31 GMT

i all, anyone did fix this issue?

this is causing random outage to traffic flow inside the vpn in a one-direction way:

r81.10 t79

the fix is not the one in sk39679