topic Re: Methods to Reset Site-to-Site IPSec VPN tunnel in Firewall and Security Management

Methods to Reset Site-to-Site IPSec VPN tunnel

Mk_83 — Sat, 28 Dec 2024 18:36:35 GMT

Hello everyone,

Appliance: 9100 - Standalone - R81.20

I am having VPN tunnel DOWN and have to reboot the device to resolve the VPN tunnel to UP. So, I just want to ask if there is a way to reset VPN tunnel instead of using SmartView Monitor, vpn tu?
Cause my GW don't have SmartEvent/Monitoring Licenses so I can't reset VPN tunnel in SmartView Monitor; and when using vpn tu to delete IPSec SAs/IKE, it didn't recover.

Thanks & Best Regards.

Re: Methods to Reset Site-to-Site IPSec VPN tunnel

Tal_Paz-Fridman — Sat, 28 Dec 2024 19:05:12 GMT

Consider using Permanent Tunnels to improve the reliability of the tunnels:

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/Topics-VPNSG/Tunnel-Management.htm

"As companies have become more dependent on VPNs for communication to other sites, uninterrupted connectivity has become more crucial than ever before. Therefore it is essential to make sure that the VPN tunnels are kept up and running. Permanent Tunnels are constantly kept active and as a result, make it easier to recognize malfunctions and connectivity problems. Administrators can monitor the two sides of a VPN tunnel and identify problems without delay."

Re: Methods to Reset Site-to-Site IPSec VPN tunnel

the_rock — Sat, 28 Dec 2024 20:49:08 GMT

Best way I know of to truly reset vpn tunnel is remove cp gw from vpn community, push policy, add it back, push policy again.

Andy

Re: Methods to Reset Site-to-Site IPSec VPN tunnel

AlekzNet — Sat, 28 Dec 2024 23:53:49 GMT

.. just make sure you still know the correct PSK, because you will have to enter it again ..

Re: Methods to Reset Site-to-Site IPSec VPN tunnel

the_rock — Sun, 29 Dec 2024 00:00:09 GMT

I dont believe thats needed if you remove cp object, ONLY interoperable one.

Re: Methods to Reset Site-to-Site IPSec VPN tunnel

AlekzNet — Sun, 29 Dec 2024 01:26:52 GMT

> when using vpn tu to delete IPSec SAs/IKE, it didn't recover.

Then there is a problem with the VPN configuration. To troubleshoot further , additional information is needed.

E.g. which Phase is failing?

what does "vpn tu list peer_ipsec <peer_IP>" show?

What do you see in tcpdump on the external interface of the firewall? tcpdump -nnni <ext_iface> host <peer_IP>

What do you see in the FW logs for the <peer_IP>?

What does "the other side" see in their logs?

Next step is to allow IKE debugging. Keep in mind, in R81.20 iked is multithreaded, so the IKE debug info can go into any of the /etc/fw/log/iked?.* file, and there is no corresponding ikeview utility anymore to conveniently "decipher" these files.

Re: Methods to Reset Site-to-Site IPSec VPN tunnel

AlekzNet — Sun, 29 Dec 2024 02:36:36 GMT

> https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/T...

> Standalone - R81.20

😉

> Consider using Permanent Tunnels to improve the reliability of the tunnels:

Allowing DPD will not help if the tunnel does not establish correctly to begin with (provided there is some traffic between the enc domains).

Re: Methods to Reset Site-to-Site IPSec VPN tunnel

AlekzNet — Sun, 29 Dec 2024 00:22:49 GMT

Try this in the lab 😉 And how do you know, that "the other side" is a CheckPoint?

Re: Methods to Reset Site-to-Site IPSec VPN tunnel

the_rock — Sun, 29 Dec 2024 00:24:27 GMT

I tried it at least 50 times lol

Re: Methods to Reset Site-to-Site IPSec VPN tunnel

AlekzNet — Sun, 29 Dec 2024 00:26:31 GMT

#metoo and every time the PSK disappeared. In any case, I would first make sure the correct PSK is known.

Re: Methods to Reset Site-to-Site IPSec VPN tunnel

the_rock — Sun, 29 Dec 2024 00:30:11 GMT

Im positive you would have deleted interoperable object, as there is nowhere you can put PSK on CP object in the community.

But, I agree, always good idea to know PSK.

Andy

Re: Methods to Reset Site-to-Site IPSec VPN tunnel

AlekzNet — Sun, 29 Dec 2024 00:53:55 GMT

You mean if both CP FWs are managed by the same Mgmt station, right? And if it's a 3d party company?

Re: Methods to Reset Site-to-Site IPSec VPN tunnel

the_rock — Sun, 29 Dec 2024 00:57:55 GMT

I mean one CP and other one 3rd party. In such case, other object has to be presented as interoperable object.

Andy

Re: Methods to Reset Site-to-Site IPSec VPN tunnel

AlekzNet — Sun, 29 Dec 2024 01:04:04 GMT

Exactly! That's why you need to know the PSK 😊

From the the original post it's not clear what "the other side" is and who controls it. So, in this case, the PSK *must* be mentioned.

Re: Methods to Reset Site-to-Site IPSec VPN tunnel

the_rock — Sun, 29 Dec 2024 01:10:23 GMT

But what Im saying is if you delete cp object and add it back, you dont need to know psk 🙂

You only need to know it if you delete interoperable object and put it back in the community.

Hope thats clear now?

Andy

Re: Methods to Reset Site-to-Site IPSec VPN tunnel

AlekzNet — Sun, 29 Dec 2024 01:13:07 GMT

In this case yes, indeed. I interpreted it a bit wider and "looser" - the object is a CP device managed by a 3d party. So, a misunderstanding on my part 😊

Re: Methods to Reset Site-to-Site IPSec VPN tunnel

the_rock — Sun, 29 Dec 2024 01:15:07 GMT

Glad we are in agreement 🙂

Re: Methods to Reset Site-to-Site IPSec VPN tunnel

Lesley — Mon, 30 Dec 2024 18:45:07 GMT

There are no more ways then this, so indeed reboot or vpn tu.

Policy push can force rekey, it is not a reset but sometimes it can trigger stuff.