topic Re: IPsec S2S VPN issue - IKEV2 in Firewall and Security Management

IPsec S2S VPN issue - IKEV2

Nandhakumar — Wed, 17 Nov 2021 07:28:26 GMT

Hi,

Our side gateway - Checkpoint R81

Remote side gateway - Cisco ASR

We built tunnel to remote side and it was working fine for some days and it stopped working since last 3 days. I have checked logs in smart console and observed peer is getting authenticated successfully. After that our gateway sending reject message with "Informational exchange: Exchange failed: timeout reached".

Can someone please advise here, what can we check in this case from our side to make sure nothing caused block from checkpoint end.

Re: IPsec S2S VPN issue - IKEV2

PhoneBoy — Fri, 19 Nov 2021 08:17:37 GMT

Might try: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk157473&partition=Advanced&product=IPSec

Re: IPsec S2S VPN issue - IKEV2

Nandhakumar — Sat, 20 Nov 2021 08:30:00 GMT

No my issue was not related to that one.

In S2S VPN, Checkpoint negotiating internal IP address as IKE ID to remote side but actually it should negioate with external internet facing IP address.

Even after we have chosen Link selection to use external IP address, still it use internal one. This was observed at remote side network engineer and after he changed remote identity match from actual our gateway external IP to our gateway internal IP, it started working fine.

After 4 months, customer told that VPN connection was stopped working and this was happened just after we installed R81 hotfix take 36. Vendor side engineer checked and confirmed that he now could see IKE ID as our gateway external IP address. Even though this would be correct way, I am wondering how it switching between internal or external IP address?

Re: IPsec S2S VPN issue - IKEV2

the_rock — Sat, 20 Nov 2021 14:08:06 GMT

If you were to run this command on your gateway, what do you see:

tcpdump -nni any host x.x.x.x and proto 50

where x.x.x.x is external remote IP address