topic Re: IPsec between two Windows Server, Checkpoint Maestro in between in Firewall and Security Management

IPsec between two Windows Server, Checkpoint Maestro in between

fourcly — Thu, 03 Apr 2025 20:55:21 GMT

Hi everyone,

We currently have the problem that an IPsec connection between two Windows servers is not working due to our Checkpoint Maestro Cluster. If we hang the server in front of the Checkpoint, the IPsec works without a problem, has anyone here had any experience with this?

In Wireshark I see many Identity Protection (Main Mode) packets in a row. There are also a lot of "Unknown packets" (243,244,246)

No NAT is active on our firewall and we have no other VPN tunnels running

Could this be a MTU/MSS problem?

Thank you for your help!

Paul

Re: IPsec between two Windows Server, Checkpoint Maestro in between

the_rock — Fri, 04 Apr 2025 17:15:47 GMT

Hey Paul,

If you do vpn tu and check option to list the tunnel by phase 1 or 2, option 3 and 4, what do you see?

[Expert@CP-GW:0]# vpn tu

********** Select Option **********

(1) List all IKE SAs
(2) * List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) * List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

* To list data for a specific CoreXL instance, append "-i <instance number>" to your selection.

(Q) Quit

*******************************************

Also, what if you try below?

vpn tu list peer_ike peer-ip and same command with peer_ipsec

Alternatively, do basic debug:

vpn debug trunc

vpn debug ikeon

-generate traffic

vpn debug ikeoff

Check vpnd and iked files in $FWDIR/log dir

Andy

Re: IPsec between two Windows Server, Checkpoint Maestro in between

fourcly — Mon, 14 Apr 2025 12:12:29 GMT

Hi @the_rock

sorry for the late reply, I was on vacation.

unfortunately, this is not a VPN tunnel on the checkpoint itself, but IPsec encrypted traffic between two servers with the checkpoint in between. There are no VPN tunnels running on the Checkpoint itself.

Paul

Re: IPsec between two Windows Server, Checkpoint Maestro in between

the_rock — Mon, 14 Apr 2025 12:17:15 GMT

K, no worries. Hope you had nice vacation : - )

Anyway, in that case, all you need to make sure is that CP is allowing the traffic to pass through, thats it.

Andy

Re: IPsec between two Windows Server, Checkpoint Maestro in between

fourcly — Mon, 14 Apr 2025 12:21:21 GMT

Thank you, everything was fine!

We have a firewall rule that allows all traffic, everything is also allowed in the log. However, no connection is established when testing. If we put the server in front of the checkpoint so that it no longer takes over the routing, everything works.

Paul

Re: IPsec between two Windows Server, Checkpoint Maestro in between

the_rock — Mon, 14 Apr 2025 12:24:01 GMT

Do you even see phase 1 form or nothing at all?

Andy

Re: IPsec between two Windows Server, Checkpoint Maestro in between

PhoneBoy — Mon, 14 Apr 2025 13:15:35 GMT

Is the IPsec VPN blade enabled here?
I know this VPN is not terminating in the device, but I know IPsec code is handled as part of Implied Rules and something may be causing an issue.
I suspect TAC may be necessary to troubleshoot.

Re: IPsec between two Windows Server, Checkpoint Maestro in between

Lesley — Mon, 14 Apr 2025 19:10:29 GMT

You see any drops on the Maestro firewalls?

fw ctl zdebug + drop | grep <IP>

What version? cpinfo -y all

What ports have you allowed? Think of: ESP, ike 500 upd-4500