https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-behavior-question-Break-before-make-Make-before-break/m-p/178770#M32740 <P>This SK suggests we are using Break Before Make:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk171756" target="_blank">https://support.checkpoint.com/results/sk/sk171756</A>&nbsp;</P> Fri, 21 Apr 2023 20:07:31 GMT PhoneBoy 2023-04-21T20:07:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-behavior-question-Break-before-make-Make-before-break/m-p/178592#M32709 <P>Hi,</P><P>a customer asks how check point handles this behavior that you can configure with cisco or strongwan:</P><P>&nbsp;</P><P><STRONG>Break-before-make</STRONG></P><P>This is the <STRONG>default</STRONG> behavior of the IKE daemon when reauthenticating an IKEv2 SA. It means that all IKE_SAs and CHILD SAs are torn down before recreating them. This will cause some interruptions during which no IPsec SAs are installed. If trap policies are used it could also trigger unnecessary acquires and hence duplicate IPsec SAs during that downtime. To prevent plaintext traffic from leaving the host appropriate firewall rules or drop policies may be used.</P><P><STRONG>Make-before-break</STRONG></P><P>This method first creates duplicates of the IKE SAs and all CHILD SAs overlapping with the existing ones and then deletes the old ones. This avoids interruptions but requires that both peers can handle overlapping SAs (e.g. in regards to virtual IPs, duplicate policies or updown scripts). It is supported for IKEv2 since version 5.3.0 but is disabled by default and may be enabled by explicitly setting</P><P><BR />Any information available on that?<BR /><BR />thanks</P><P>reinhard</P> Thu, 20 Apr 2023 08:47:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-behavior-question-Break-before-make-Make-before-break/m-p/178592#M32709 ReinhardS 2023-04-20T08:47:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-behavior-question-Break-before-make-Make-before-break/m-p/178770#M32740 <P>This SK suggests we are using Break Before Make:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk171756" target="_blank">https://support.checkpoint.com/results/sk/sk171756</A>&nbsp;</P> Fri, 21 Apr 2023 20:07:31 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-behavior-question-Break-before-make-Make-before-break/m-p/178770#M32740 PhoneBoy 2023-04-21T20:07:31Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-behavior-question-Break-before-make-Make-before-break/m-p/178780#M32744 <P>Thats superb question...I had guy dealing with Cisco ask that once when we were with escalation guy from CP trying to fix CP-Cisco VPN and what&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;said was indeed the right assesment. Esc. guy gave that exact same sk.</P> <P>Have an awesome weekend!&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SkodagramKaroqGIF.gif" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/20592iE5D485A62107EB91/image-size/medium?v=v2&amp;px=400" role="button" title="SkodagramKaroqGIF.gif" alt="SkodagramKaroqGIF.gif" /></span></P> <P> </P> Fri, 21 Apr 2023 20:28:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-behavior-question-Break-before-make-Make-before-break/m-p/178780#M32744 the_rock 2023-04-21T20:28:00Z