topic Re: 2 Tunnels (Active - Backup ) inside the same Site-to-Site VPN community in Firewall and Security Management

2 Tunnels (Active - Backup ) inside the same Site-to-Site VPN community

Michalis89 — Mon, 21 Mar 2022 10:17:49 GMT

Hi Checkmates,

I am facing a problem with a Site-to-Site VPN with AWS and i want your help.

I have established a Site-to-Site VPN with AWS and i have 2 Satellite Gateways acting as Primary - Backup.

The problem is that the VPN connectivity is continuously dropping and from AWS they told us that my Checkpoint Gateway is sending a delete of the IPSEC Phase 2 SAs. This also happens just after a successful phase 1 renegotiation. When AWS receives a request to delete the SA, the request is honored. Tunnel is restored after CGW eventually sends a request to negotiate Phase2.

I have already see all the vpnd logs and ike.elg but i am not seeing something that could help me.

Do you know if Checkpoint can cause this problem because is trying to send the traffic at both tunnels in the same time;

Do you know how Checkpoint handles the traffic selection when you have two remote peers inside the same Site-to-Site VPN with the same encryption domain;

Thank you!

Re: 2 Tunnels (Active - Backup ) inside the same Site-to-Site VPN community

Chris_Atkinson — Mon, 21 Mar 2022 12:56:03 GMT

Start with sk108600 scenario 4.

Please also confirm your DPD settings and if the problem also presents after installing policy see also sk142355.

Re: 2 Tunnels (Active - Backup ) inside the same Site-to-Site VPN community

Michalis89 — Thu, 24 Mar 2022 14:11:58 GMT

Thank you very much Chris for your help!! Indeed i cheched the value ike_keep_child_sa_interop_devices and i found that it was set to false after the upgrade to R81.10.

We opened a ticket our Contractor in order to arrange a maintenance windows in order to change this value.

I will inform you after the action is completed and if the problem resolved

Re: 2 Tunnels (Active - Backup ) inside the same Site-to-Site VPN community

Duane_Toler — Wed, 30 Mar 2022 15:19:40 GMT

Hey @Michalis89

I had an issue that sounds like yours with AWS VPNs in R80.30 and R80.40. Working with a TAC escalation engineer (and suggestion @Chris_Atkinson for sk142355), I enabled "keep_IKE_SAs" in the Global Properties "scary place" in that SK.

I also ran a VPN debug at the same time, and see the message in the debug output:

[vpnd .... [29 Mar 18:48:41] CachedObject::istrue: Cache miss: keep_IKE_SAs: true (1)

Good luck!

PS: i call it the "scary place" when I tell customers so they won't go traipsing through it cavalierly 🙂

Re: 2 Tunnels (Active - Backup ) inside the same Site-to-Site VPN community

Michalis89 — Wed, 30 Mar 2022 15:41:16 GMT

Hi Duane and Thank you for your reply! I totally agree with you with the "scary place" 😄
We have already enable the option "keep_IKE_SAs" in the Global Properties in order to set the Checkpoint as a DPD responder.

We also make the action that @Chris_Atkinson mentioned and we set the value of ike_keep_child_sa_interop_devices to true but nothing changed. The tunnels towards AWS are not stable.

After a lot of investigation i think that the solution to the problem is to set VTU Tunnels towards AWS. This is the only way to support Active - Backup Site-to-Site VPN tunnels inside the same VPN community.

The only drawback at this solution is that VTI Tunnels supported only from R81 and above.

Re: 2 Tunnels (Active - Backup ) inside the same Site-to-Site VPN community

Duane_Toler — Wed, 30 Mar 2022 15:58:08 GMT

AH! Are you doing it as 'domain-based' VPN or 'route-based' VPN? My customer AWS VPN is route-based VPN (albeit with static routes). The interoperable object has a VPN domain with a group object that is empty (no group members).

AWS has the VPN template you can download and follow the config samples in their document. You have to do their template because when you download it, they supply the local/remote IPv4 addresses for your VPN tunnel CLISH commands. It'll be 169.254.xxx.yyy

Then do static-route for the remote LAN behind the AWS gateways. In your security policy, you'll use VPN directional matches for traffic to/from the AWS VPN domain. In the community, you'll have DPD with Permanent Tunnels.

With this setup, I see in my VPN debug the "DPD_R_U_THERE" and "DPD_ACK" IKE messages. This is on R80.30, too.

As weird as it seems, the AWS template had the perfect config for it. I was surprised. 🙂

Re: 2 Tunnels (Active - Backup ) inside the same Site-to-Site VPN community

Juan_ — Wed, 30 Mar 2022 15:58:23 GMT

Hi,

VTI is supported on R80.X.

And yes, AWS VPNs are normally confiugred with VTI + Routing

Re: 2 Tunnels (Active - Backup ) inside the same Site-to-Site VPN community

Michalis89 — Wed, 30 Mar 2022 18:36:56 GMT

Hi Juan,

Based on the below sk(sk79700) for VSX environments the VTI feature is supported from R81 version and later.

VSX supported features (checkpoint.com)

I believe the only solution is to upgrade my gateways to R81.10 and configure the specific Site-to-Site VPN VPN community with VTI and Routed Mode

Re: 2 Tunnels (Active - Backup ) inside the same Site-to-Site VPN community

Duane_Toler — Wed, 30 Mar 2022 19:21:36 GMT

Oh. VSX. Yeah that's different. 😞 "add vpn tunnel" is not a CLISH command in VSX (as of R80.40). You'll need R81+ indeed.

Re: 2 Tunnels (Active - Backup ) inside the same Site-to-Site VPN community

Michalis89 — Thu, 31 Mar 2022 10:03:00 GMT

Hi Duane, we have already done all of the above but with Domain-based VPN.

Unfortunately we have to upgrade to R81 version and higher in order to make this configuration stable for our VSX environment.