topic Re: Setting Up Site-to-Site VPN to 3rd Party Gateway in General Topics

Setting Up Site-to-Site VPN to 3rd Party Gateway

Wyman — Wed, 07 Aug 2019 16:03:49 GMT

Hi all.

I'm trying to setup a VPN tunnel to a 3rd party and am running into some issues. These are the instructions I have received from the third party regarding the setup:

Encrypt Mode:

IKEv2 only

IKE (Phase 1) Proposal

Main Mode
Encryption Type/Algorithm: AES-256
Data Integrity: SHA256
Key
DH-Group: 2
Lifetime: 3600 seconds

IKE (Phase 2) Proposal

Protocol: ESP
Encryption Type: AES-256
Data Integrity: SHA256
Lifetime: 3600 seconds
Disabled PerfectForward Secrecy (PFS)

With the exception of setting the protocol to ESP (not been able to find how to do this) I have done everything else according to these instructions:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk62803

When looking in SmartView Tracker I see an 'traffic selectors unacceptable' log entry. Not quite sure how to proceed with this.

We're running R77.30 take 204

Thanks in advance for any assistance.

Re: Setting Up Site-to-Site VPN to 3rd Party Gateway

Wolfgang — Wed, 07 Aug 2019 19:56:01 GMT

Tbgaz,

As far as I can remember there are some known problems with IKEv2 and third party gateways. I think there was a problem with SecureXL. Did you tried to disable the acceleration ?

Please have a look at the IKEv2 VPN limitations in VPN limitations in R77.30

Espacially sk102437, sk114834 and sk112139.

Wolfgang

Re: Setting Up Site-to-Site VPN to 3rd Party Gateway

Wyman — Thu, 08 Aug 2019 14:06:13 GMT

Hi Wolfgang,

Thanks for the reply. I've made some progress, the tunnel is now showing as up. I checked SecureXL but it isn't configured on the gateway. From the 3rd party endpoint to our gateway a 'child SA is successfully created' log entry is created, but going in the opposite direction I see a log message 'Child SA exchange: Peer's message is unacceptable'.

Is it a case that we have to use IKEv1 or is that less than ideal?

Re: Setting Up Site-to-Site VPN to 3rd Party Gateway

G_W_Albrecht — Thu, 08 Aug 2019 14:12:22 GMT

Did you consult sk108600: VPN Site-to-Site with 3rd party already ? This is a valuable document for that kind of issues...

Re: Setting Up Site-to-Site VPN to 3rd Party Gateway

Wyman — Tue, 13 Aug 2019 11:07:57 GMT

Hi. The issue has been resolved. The 3rd party gateway needed to be tweaked to allow connectivity.

Re: Setting Up Site-to-Site VPN to 3rd Party Gateway

G_W_Albrecht — Tue, 13 Aug 2019 12:03:29 GMT

Best is pinching with a sharp needle from behind 😁

Re: Setting Up Site-to-Site VPN to 3rd Party Gateway

An_Nguyen — Tue, 11 Feb 2020 19:09:56 GMT

Is it possible that you share what was being "tweaked"?

Thanks

Re: Setting Up Site-to-Site VPN to 3rd Party Gateway

cdooer — Fri, 08 Oct 2021 17:41:20 GMT

Would it be possible to share what the tweak was?