https://community.checkpoint.com/t5/Firewall-and-Security-Management/Testing-VPN-phase1-and-phase2/m-p/112626#M15656 <P>Simple ping from one GW to the other one will cause that VPN will try to be established with relevant VPN configuration in place on both ends.</P> Sun, 07 Mar 2021 08:29:27 GMT JozkoMrkvicka 2021-03-07T08:29:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Testing-VPN-phase1-and-phase2/m-p/112623#M15654 <P>hey,</P><P>i think a feature request for testing those configuration can have a good value for troubleshooting.</P><P>based on the security policy for example we might need to have someone on the other side to generate traffic, something we dont have 100%.</P><P>some test command can be useful to make the GW try to establish the vpn tunnel just for those parameter&nbsp;</P> Sun, 07 Mar 2021 07:48:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Testing-VPN-phase1-and-phase2/m-p/112623#M15654 Dor_Marcovitch 2021-03-07T07:48:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Testing-VPN-phase1-and-phase2/m-p/112626#M15656 <P>Simple ping from one GW to the other one will cause that VPN will try to be established with relevant VPN configuration in place on both ends.</P> Sun, 07 Mar 2021 08:29:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Testing-VPN-phase1-and-phase2/m-p/112626#M15656 JozkoMrkvicka 2021-03-07T08:29:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Testing-VPN-phase1-and-phase2/m-p/112627#M15657 <P>this should work only if the GW is in the encryption domain</P> Sun, 07 Mar 2021 08:32:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Testing-VPN-phase1-and-phase2/m-p/112627#M15657 Dor_Marcovitch 2021-03-07T08:32:09Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Testing-VPN-phase1-and-phase2/m-p/112630#M15658 <P>Not really, the peer IP of GW (cluster IP) to be used for VPN itself is considered as valid part of VPN.</P> <P>In case of VPN performance and best practises, see:</P> <P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk105119" target="_blank" rel="noopener"><SPAN>Best Practices - VPN Performance</SPAN></A></P> <P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&amp;eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk73980" target="_blank" rel="noopener"><SPAN>Relative speeds of algorithms for IPsec and SSL</SPAN></A></P> <P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk104760" target="_blank" rel="noopener"><SPAN>ATRG: VPN Core</SPAN></A></P> Sun, 07 Mar 2021 08:45:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Testing-VPN-phase1-and-phase2/m-p/112630#M15658 JozkoMrkvicka 2021-03-07T08:45:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Testing-VPN-phase1-and-phase2/m-p/112647#M15672 <P>There doesn't seem to be a way to simulate a VPN peer initiating a IKE negotiation to your Check Point firewall, at least that I can see.&nbsp; Once the tunnel is up (no matter who initiated it) it is a two-way street, but in an interoperable scenario sometimes there will be a IKEv1 Phase 2 subnet/Proxy-ID negotation failure if one side initiates the tunnel, but the other side can initiate it just fine.&nbsp; Not much you can really do about this except have the VPN peer try to initiate to you and see what happens.</P> Sun, 07 Mar 2021 15:27:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Testing-VPN-phase1-and-phase2/m-p/112647#M15672 Timothy_Hall 2021-03-07T15:27:58Z