https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209539#M39717 <P>Hi The_Rock.</P><P>1) is it CP to CP tunnel of 3rd party? -&gt;&nbsp;3rd party Cisco</P><P>2) permanent tunnel or regular? -&gt;&nbsp;regular</P><P>3) what is configured for vpn domains? -&gt;&nbsp;All IP Address behind Cluster Member based on Topology</P><P>4) any NAT going? No Nat</P><P>5) ikev1 or v2? ikev1</P><P>Also, did you do any tcpdumps or debugs -&gt;&nbsp;I have debug VPN traffic but it doesn't exist</P><P>Example (say peer is 1.2.3.4 IP)</P><P>[Expert@gw01:0]# vpn iked calc 192.168.45.2<BR />vpn: valid 'iked' commands are: 'status', 'enable', 'disable'</P><P>I checked the VPN configuration on the gateway but it seems it has not been installed from SMC</P><P>Thanks.</P> Sun, 24 Mar 2024 15:01:38 GMT NamND 2024-03-24T15:01:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209531#M39714 <P>Hi Everyone.</P><P>I am configuring Vpn Site to Site I have enabled IPSEC VPN but on the gateway device it is not receiving the VPN configuration. I checked with cli commands: vpn tu but the result is "No data to display<BR />"<BR />Steps I took:<BR />1. enable IPSEC VPN<BR />2. interoperable devices<BR />3. VPN Communities<BR />4. IPSEC VPN<BR />5. Install Policy.</P><P>Thanks</P> Sun, 24 Mar 2024 08:54:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209531#M39714 NamND 2024-03-24T08:54:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209529#M39715 <P>Hi Everyone!</P><P>I am configuring site to site vpn on checkpoint gateway cluster. But when I install the policy, the vpn configuration is not received on the gateway<BR />Steps I took<BR />1. enable IPSEC VPN in cluster<BR />2. configuration Interoperable devices<BR />3. configuration VPN Communities<BR />4. configure VPN Domain<BR />5. install policy</P><P>I executed the vpn tu command on the cli but the result was No data to display.</P><P>Thanks.</P><P>&nbsp;</P> Sat, 23 Mar 2024 18:07:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209529#M39715 NamND 2024-03-23T18:07:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209537#M39716 <P>Thats only the first step, since vpn blade has to be enabled. But, lets take a step back, of few lol</P> <P>Can you please let us know the following:</P> <P>1) is it CP to CP tunnel of 3rd party?</P> <P>2) permanent tunnel or regular?</P> <P>3) what is configured for vpn domains?</P> <P>4) any NAT going?</P> <P>5) ikev1 or v2?</P> <P>Also, did you do any tcpdumps or debugs</P> <P>Example (say peer is 1.2.3.4 IP)</P> <P>from CP -&gt; tcpdump -enni any host 1.2.3.4 and proto 50</P> <P>debug:</P> <P>vpn debug trunc</P> <P>vpn debug ikeon</P> <P>-try generate some traffic</P> <P>vpn debug ikeoff</P> <P>Look for ike and vpnd files</P> <P>IMPORTANT NOTE -&gt; to save yourself time, please run below to check what iked process is handling the vpn, otherwise you might be looking at totally wrong files</P> <P>example in my lab:</P> <P>[Expert@azurefw:0]# vpn iked calc 1.2.3.4</P> <P>vpn: Address 1.2.3.4 is handled by IKED 0</P> <P>[Expert@azurefw:0]#</P> <P>&nbsp;</P> <P>If you need any help, let me know.</P> <P>&nbsp;</P> <P>Best.</P> <P>Andy</P> Sun, 24 Mar 2024 13:25:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209537#M39716 the_rock 2024-03-24T13:25:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209539#M39717 <P>Hi The_Rock.</P><P>1) is it CP to CP tunnel of 3rd party? -&gt;&nbsp;3rd party Cisco</P><P>2) permanent tunnel or regular? -&gt;&nbsp;regular</P><P>3) what is configured for vpn domains? -&gt;&nbsp;All IP Address behind Cluster Member based on Topology</P><P>4) any NAT going? No Nat</P><P>5) ikev1 or v2? ikev1</P><P>Also, did you do any tcpdumps or debugs -&gt;&nbsp;I have debug VPN traffic but it doesn't exist</P><P>Example (say peer is 1.2.3.4 IP)</P><P>[Expert@gw01:0]# vpn iked calc 192.168.45.2<BR />vpn: valid 'iked' commands are: 'status', 'enable', 'disable'</P><P>I checked the VPN configuration on the gateway but it seems it has not been installed from SMC</P><P>Thanks.</P> Sun, 24 Mar 2024 15:01:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209539#M39717 NamND 2024-03-24T15:01:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209540#M39718 <P>Now that I came back from my exercise (I feel like Im the only "genius" running on -5 C degree haha), I feel energized, so lets see if we can get this fixed. Just working on some labs, so if you allow remote, message me offline, lets connect and we can do remote.</P> <P>Best,</P> <P>Andy</P> <P>Btw, first thing I would say thats wrong is your enc domain, you should always set specific subnet/group, not topology option.</P> Sun, 24 Mar 2024 15:15:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209540#M39718 the_rock 2024-03-24T15:15:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209541#M39719 <P>Nguyen and I just had remote session and I could not even see phase 1 come up, so asked him to verify enc methods for phase 1, as well as PSK and update the thread. Alternatively, please run the debug I mentioned in one of previous responses.</P> <P>Best,</P> <P>Andy</P> Sun, 24 Mar 2024 23:37:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209541#M39719 the_rock 2024-03-24T23:37:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209543#M39720 <P>Hi The_Rock.</P><P>I have solved the problem exactly as you said and I have completed the Site to Site VPN configuration.</P><P>Right now VPN tunnel is up.</P><P>Thank you very much.</P> Sun, 24 Mar 2024 16:15:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209543#M39720 NamND 2024-03-24T16:15:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209544#M39721 <P>Great job!</P> Sun, 24 Mar 2024 16:42:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209544#M39721 the_rock 2024-03-24T16:42:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209547#M39723 <P>Btw, just to help you even further next time if you have issue with Cisco, below are some good commands on that end you can try:</P> <P><BR />***************************************************************</P> <P><BR />more system:running-config | beg tunnel-group x.x.x.x (to find pre shared key for specific tunnel, where x.x.x.x is the 3rd party external IP)</P> <P>ASA# sh run crypto map | beg x.x.x.x (peer IP)</P> <P>debug vpn:</P> <P>debug crypto condition peer x.x.x.x</P> <P>debug crypto ikev1 200</P> <P>debug crypto ipsec 200</P> <P>to cancel all debugs-&gt; undebug all</P> <P><BR />Here are the commands that you need to apply in order to change an IP address of the IPSec site to site tunnel:</P> <P>&nbsp;</P> <P>no crypto map &lt;map-name&gt; &lt;sequece&gt; set peer x.x.x.x</P> <P>crypto map &lt;map-name&gt; &lt;sequence&gt; set peer &lt;new peer IP&gt;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 24 Mar 2024 19:59:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-Site-to-Site-gateway/m-p/209547#M39723 the_rock 2024-03-24T19:59:43Z