topic Re: S2S VPN in Firewall and Security Management

S2S VPN

checkpopipu — Wed, 21 Feb 2024 17:27:37 GMT

Hey there!

TL;DR: IPSEC VPN problem - My Checkpoint device cant communicate with the Interoperable device (that is actually the AWS side of the tunnel) at all! the error is "IKE failure: Initial exchange: Exchange failed: timeout reached"

The problem:

I'm trying to connect my On-Premise and my AWS environment with a S2S VPN.

I have configured everything on AWS and then got a configuration tutorial document for my checkpoint.

I did everything, and got to the part when I have to test my connection, but it is not working.

What I have already tried:

In the logs I can see once in a minute a record with action "REJECT" and description "IKE failure: Initial exchange: Exchange failed: timeout reached". After that, there is another record with action "Encrypt", but then it stops. (Images of this are included at the end)

I tried to sniff all interfaces and understood that there is not even one packet that is sent to the Public IP that is defined in the interoperable device.

Also tried to ping this address and saw that I cannot talk to it.

I tried to change the IP address of the interoperable device and it was preventing me to send anything to the new IP.

I have a rule that allows my firewall to communicate with that address in any type of communication so that's not the problem.

Thanks a Lot!!!!

Re: S2S VPN

CheckPointerXL — Thu, 22 Feb 2024 22:47:59 GMT

I think you need to perform a vpn debug to get more info

Re: S2S VPN

the_rock — Fri, 23 Feb 2024 01:37:56 GMT

I would do simple vpn debug as well.

vpn debug trunc

vpn debug ikeon

-generate some traffic, wait 2-3 mins

vpn debug ikeoff

Get ike and vpnd files from $FWDIR/log dir

Best,

Andy

Re: S2S VPN

SdanteMate — Mon, 21 Oct 2024 14:17:12 GMT

@checkpopipu Did you find the solution on this?

Re: S2S VPN

796570686578 — Tue, 26 Nov 2024 08:01:45 GMT

@SdanteMate Have you been able to resolve the issue? Currently running into the same error. We have other tunnels to AWS that work just fine but can't get this one to work

Re: S2S VPN

796570686578 — Tue, 26 Nov 2024 09:39:40 GMT

In case anyone runs into the same issue and finds this post. The solution for us was to change the "Startup Action" Setting in AWS from Add to Start.

Startup action

The action to take when establishing the tunnel for a VPN connection. You can specify the following:

Start: AWS initiates the IKE negotiation to bring the tunnel up. Only supported if your customer gateway is configured with an IP address.
Add: Your customer gateway device must initiate the IKE negotiation to bring the tunnel up.

Re: S2S VPN

the_rock — Tue, 26 Nov 2024 11:47:25 GMT

Thats really good to know, tx for sharing!

Andy