https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connectivity-with-a-remote-VPN-peer/m-p/183847#M33731 <P>Hello, everyone.</P> <P>A query, I currently have a S2S IPsec VPN deployed, but I wanted to know if to "test" the connectivity with the remote peer with a "ping" from the GW CLI, you need to have a security policy?</P> <P>The IP of the remote peer is available from the Internet.<BR />If you try to ping from any point of Internet 200.60.70.9 you can validate that the equipment responds to Internet, but from my GW (from the CLI), it does not answer me the PING.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="VPN3.png" style="width: 952px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21402iF9790DFFA0866B2F/image-size/large?v=v2&amp;px=999" role="button" title="VPN3.png" alt="VPN3.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="VPN2.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21401i43A4B8D3A0F6E04B/image-size/large?v=v2&amp;px=999" role="button" title="VPN2.png" alt="VPN2.png" /></span></P> <P>Additionally, I wanted to validate the "negotiation of the packets exchanged" for the establishment of the VPN, with the command "tcpdump -penni any host &lt;remote peer&gt;", but I do not get any "result" in the console of the equipment, and I find it super weird.<BR /><BR />The VPN is up, but I wanted to make sense of these things I'm talking about.<BR /><BR />Thanks for any comments</P> Mon, 12 Jun 2023 22:10:26 GMT Matlu 2023-06-12T22:10:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connectivity-with-a-remote-VPN-peer/m-p/183847#M33731 <P>Hello, everyone.</P> <P>A query, I currently have a S2S IPsec VPN deployed, but I wanted to know if to "test" the connectivity with the remote peer with a "ping" from the GW CLI, you need to have a security policy?</P> <P>The IP of the remote peer is available from the Internet.<BR />If you try to ping from any point of Internet 200.60.70.9 you can validate that the equipment responds to Internet, but from my GW (from the CLI), it does not answer me the PING.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="VPN3.png" style="width: 952px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21402iF9790DFFA0866B2F/image-size/large?v=v2&amp;px=999" role="button" title="VPN3.png" alt="VPN3.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="VPN2.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21401i43A4B8D3A0F6E04B/image-size/large?v=v2&amp;px=999" role="button" title="VPN2.png" alt="VPN2.png" /></span></P> <P>Additionally, I wanted to validate the "negotiation of the packets exchanged" for the establishment of the VPN, with the command "tcpdump -penni any host &lt;remote peer&gt;", but I do not get any "result" in the console of the equipment, and I find it super weird.<BR /><BR />The VPN is up, but I wanted to make sense of these things I'm talking about.<BR /><BR />Thanks for any comments</P> Mon, 12 Jun 2023 22:10:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connectivity-with-a-remote-VPN-peer/m-p/183847#M33731 Matlu 2023-06-12T22:10:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connectivity-with-a-remote-VPN-peer/m-p/183899#M33740 <P>What version/JHF is the gateway?<BR />Depending on your version, tcpdump doesn't always show what's going on when SecureXL accelerates the traffic.<BR />cppcap can be used in this case.</P> <P>What is the remote peer in this case?<BR />If it is not a Check Point device and you try to ping the external IP, it may not work.<BR />See:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk108600" target="_blank">https://support.checkpoint.com/results/sk/sk108600</A><BR />&nbsp;</P> Tue, 13 Jun 2023 17:20:10 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connectivity-with-a-remote-VPN-peer/m-p/183899#M33740 PhoneBoy 2023-06-13T17:20:10Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connectivity-with-a-remote-VPN-peer/m-p/183903#M33741 <P>Hello,</P> <P>The JHF is Take 83, version R81.10</P> <P>The remote pair is a Fortigate. Your Public IP of the remote peer is available to test connectivity from anywhere on the Internet.</P> <P>If you test a PING from our Checkapoints Cluster, well, it just doesn't work, and according to the logs, it seems that it is because the traffic is being sent over the VPN, and it matches an IMPLIED RULE 0.<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="IM1.png" style="width: 686px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21409iF067B8461094AB0D/image-size/large?v=v2&amp;px=999" role="button" title="IM1.png" alt="IM1.png" /></span></P> <P>Is there any way to correct this behavior?</P> <P>Is there a way to ping from the GW to a remote peer, as a validation process of the device, before starting to "deploy" a VPN?<BR /><BR />cppcap, is there a tool to help me "test" the negotiation process for a VPN?<BR />Any reference guide for cppcap?</P> <P>Regards.</P> Tue, 13 Jun 2023 17:30:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connectivity-with-a-remote-VPN-peer/m-p/183903#M33741 Matlu 2023-06-13T17:30:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connectivity-with-a-remote-VPN-peer/m-p/183917#M33746 <P>Expected behavior that is possible to address in the SK I linked previously (scenario 3).</P> Tue, 13 Jun 2023 18:39:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Connectivity-with-a-remote-VPN-peer/m-p/183917#M33746 PhoneBoy 2023-06-13T18:39:27Z