topic Re: IKEv2 VPN between OPNsense and Check Point in Firewall and Security Management

IKEv2 VPN between OPNsense and Check Point

Teddy_Brewski — Mon, 01 Nov 2021 10:36:46 GMT

Hello,

Anyone here with successful IKEv2 IPSec tunnel between OPNsense and Check Point? If I'm not wrong OPNsense runs some variant of *swan IPsec (strongSwan?).

I'm trying to connect OPNsense box running the latest 21.7.3 with Check Point R77.30 without any luck. The tunnel seems to establish fine -- no errors on both sides and they both agree on encryption parameters and encryption domains but I can't see any traffic arriving via the tunnel on the destination server at the Check Point site.

I have no issues whatsoever with IKEv1 -- the tunnel works without any problems with the same parameters.

There is nothing special in terms of configuration: both Phase 1 and 2 are AES-256/SHA1/Group2.VPN

Any hints would be greatly appreciated.

Re: IKEv2 VPN between OPNsense and Check Point

Chris_Atkinson — Mon, 01 Nov 2021 13:52:25 GMT

R77.30 (which JHF version?) is no longer supported, please consider upgrading to a later version such as R80.40 or above.

https://www.checkpoint.com/support-services/support-life-cycle-policy/

Re: IKEv2 VPN between OPNsense and Check Point

Thomas_Eichelbu — Wed, 23 Feb 2022 12:48:37 GMT

Hello,

i just had the same issue, due lack of time we couldn´t dive deeper into it. But no luck with IKEv2.
On CP side it always seems to work a tunnel was up.
SmartView Monitor said OK
"vpn tu tlist" said UP
Check Point seems to be able to send packets into the tunnel, but they were not received on OpenSense side.
Otherway around same issue.

but i received message like this in SmartLog

"Auth exchange: Sending notification to peer: Invalid syntax"

regarding
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk157473
it should have to do with "Change Tunnel Management in Community from "One Tunnel Per Subnet Pair" to "One Tunnel Per Gateway Pair""
but no time to test it ...

changing to IKEv1 made it work.

plattform was R81 + Take 23 plus "Encryption Domain Per community" feature.

perhaps someone go it running with IKEv2?

best regards

and also, R77.30 is end of everythig.

Re: IKEv2 VPN between OPNsense and Check Point

G_W_Albrecht — Wed, 23 Feb 2022 13:52:59 GMT

Starting R80.10, this is possible: sk118536: VPN Site to Site with StrongSwan fails

Re: IKEv2 VPN between OPNsense and Check Point

the_rock — Wed, 23 Feb 2022 14:01:30 GMT

Ok, lets forget the fact you are using R77.30, yes, we all know its unsupported and it has been for long time, but lets see if we can help you out. So, here is my thinking, logically...

So, if if tunnel is up, that tells us that both phase 1 and 2 are correct, for sure. Now, if you say this only happens with ikev2 and not ikev1, can you run quick vpn debug while generating traffic and gather ike files from $FWDIR/log directory on the firewall, as well as vpnd.elg

Just turn on debug by running vpn debug ikeon, generate some traffic, wait couple of minutes and run vpn debug ikeoff to turn debug off.

If you could email me the stuff directly with any relevant IP addresses, I can check it later to see what could be going on. I definitely remember having ikev2 tunnels work back in R77.30...not often, but it did work, for sure.

Re: IKEv2 VPN between OPNsense and Check Point

Thomas_Eichelbu — Wed, 23 Feb 2022 14:57:22 GMT

wow cool!

i love this kernel parameter right from the start

“fw ctl set int strongswan_bug_workaround 1”

i still need the IT guy from the remote site ... then i can try it again with IKEv2!

thank you!

Re: IKEv2 VPN between OPNsense and Check Point

AaronCP — Wed, 23 Feb 2022 21:10:00 GMT

As @the_rock mentioned, running VPN debugs will definitely give you deeper insights into what is happening with the VPN tunnel. SK33327 gives a very good explanation of how to run the debugs. You can use the IKEView tool to open the vpnd.elg & ikev2.xmll files for further analysis/troubleshooting.