topic Re: Issue with VPN between Checkpoint and AWS in Firewall and Security Management

Issue with VPN between Checkpoint and AWS

ThomasPP — Thu, 03 Oct 2024 13:19:02 GMT

Hello

We are building a route based site-to-site VPN between our Checkpoint cluster (Check Point Gaia R81.10 - 15600) and AWS (tenant belonging to our partner).

Both phases are up but there is no traffic between VTI addresses (ping is not working but encrypted on Checkpoint side)

We've got errors like in the console : :

Child SA exchange: Peer's message is unacceptable

and fw ctl zdebug drop shows :

@;294556582;[cpu_6];[fw4_19];fw_log_drop_ex: Packet proto=6 169.254.131.30:35776 -> 169.254.131.29:179 dropped by fw_ipsec_encrypt_on_tunnel_instance Reason: No error - tunnel is not yet established;
@;294556582;[cpu_12];[fw4_7];fw_log_drop_ex: Packet proto=6 169.254.151.30:41589 -> 169.254.151.29:179 dropped by fw_ipsec_encrypt_on_tunnel_instance Reason: No error - tunnel is not yet established;

We also noticed these logs :

[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv4: Traffic selector has been narrowed. Here's what's left (4 addresses)
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] --- 185.XXX.YYY.0 - 185.XXX.YYY.3
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv6: calculate all ranges
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv6: proto: 0, port range: All Ports
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv6: calculate ranges for ts 0
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv6: proto: 0, port range: All Ports
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv6: trying to match peer range 0: 185.XXX.YYY.0 - 185.XXX.YYY.3 against 0 policy ranges
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv6: Could not match traffic selector 1 (<185.XXX.YYY.0 - 185.XXX.YYY.3>)
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv6: Could not match any selectors
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify: returns true
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::getContainingTS: looking for a ts that contains <169.254.131.30 ; TCP ; 179>
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv4: checking range: 185.XXX.YYY.0 - 185.XXX.YYY.6
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv4: added range: 185.XXX.YYY.0 - 185.XXX.YYY.3
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv4: checking range:185.XXX.YYY.0 - 185.XXX.YYY.3
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv4: added range: 185.XXX.YYY.0 - 185.XXX.YYY.3
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::getContainingTS: Try specific protocol/port (6/179) num_range: 1. addresses in ranges: 4 (4)
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::getContainingTS: Returning empty TS. Proto: 6
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] ikeChildSAExchange_i::validateTSiPayload: empty traffic selector.
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] Exchange::processPayloads: problem processing payload no. 4 of type TS-i payload
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] Exchange::processPayloads: processPayloads returning initial status
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] Exchange::setStatus: Changing status from: initial to: failure (final)..
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] Exchange::setLog: Setting log message:
Peer's message is unacceptable..

Do you have any idea?

Could it be a mismatch between route based and policy based ?

Thank you

Thomas

Re: Issue with VPN between Checkpoint and AWS

PhoneBoy — Thu, 03 Oct 2024 13:36:17 GMT

What steps did you follow to configure this?
It’s not necessarily an issue with route versus domain VPN, but it does indicate a configuration mismatch.

Re: Issue with VPN between Checkpoint and AWS

ThomasPP — Thu, 03 Oct 2024 13:38:18 GMT

Hello,

We followed the following links :

And our partners sent us the configuration files from AWS.

Re: Issue with VPN between Checkpoint and AWS

the_rock — Thu, 03 Oct 2024 14:32:00 GMT

See if below post I made helps. Key here is to MAKE SURE routes are configured in a way I described. If not, traffic will never work. If you need more help, let me know. I know this is for Azure, but exact same method applies to AWS.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExTTjlYV1FXMUlGQVNMfDIwNjE3OXxTVUJTQ1JJUFRJT05TfGhL#M38950

Re: Issue with VPN between Checkpoint and AWS

PhoneBoy — Thu, 03 Oct 2024 14:32:47 GMT

In your VPN Community, what do you have configured for Tunnel Sharing?
I believe it should be "one per gateway" as shown below.

Re: Issue with VPN between Checkpoint and AWS

ThomasPP — Thu, 03 Oct 2024 14:40:35 GMT

Hello,

We have configured "one vpn tunnel per Gateway" :

We are trying to use BGP routing for the first time but it seems that BGP traffic is not flowing through the VPN (it is dropped, see first post) :

@;294556582;[cpu_6];[fw4_19];fw_log_drop_ex: Packet proto=6 169.254.131.30:35776 -> 169.254.131.29:179 dropped by fw_ipsec_encrypt_on_tunnel_instance Reason: No error - tunnel is not yet established;

Re: Issue with VPN between Checkpoint and AWS

the_rock — Thu, 03 Oct 2024 14:45:31 GMT

Here is what I had learned doing extensive testing with a colleague for BGP through route based tunnels...key is to use UNNUMBERED vtis for that to work. Why, dont ask me, as I have no clue in the world, but I even mentioned this to TAC once after being on the phone 5 hours troubleshooting the issue.

We actually fixed it in Azure lab the next day.

Andy

Re: Issue with VPN between Checkpoint and AWS

ThomasPP — Fri, 04 Oct 2024 05:38:36 GMT

Hello,

Thank you for your reply.

When using unnumbered VTIs, you don't need to set any ip address? In that case, how do you set up BGP peers?

Thomas

Re: Issue with VPN between Checkpoint and AWS

Alex- — Fri, 04 Oct 2024 09:43:11 GMT

sk176249 is very well written and while it pertains to Azure VWAN, the concept of route-based VPN with BGP is common to cloud implementations. You can adapt the Azure parts to AWS and it should work.

Re: Issue with VPN between Checkpoint and AWS

the_rock — Fri, 04 Oct 2024 09:44:19 GMT

Thats right, thats why its called unnumbered. BGP, you configure it like you normally would.

Andy