topic Re: S2S VPN downtime in General Topics

S2S VPN downtime

Matlu — Tue, 01 Aug 2023 20:01:37 GMT

Hello,

A query,
I am aware that, in a Checkpoint S2S VPN against third parties, when there is no interesting traffic "crossing" the VPN for a certain period of time, these VPNs "go down".

My question is, how much time does Checkpoint "count" to "down the VPN"?

Assuming that the VPN will be up again, when interesting traffic is generated again.

Hopefully, someone can clarify this doubt for me, please.

Thanks

Re: S2S VPN downtime

CaseyB — Tue, 01 Aug 2023 20:12:17 GMT

I would think the VPN would go down once the IPSec SA expires.

From the CLI you can type "vpn tu tlist -p x.x.x.x" and see a tunnel expiration time.

Re: S2S VPN downtime

Matlu — Tue, 01 Aug 2023 20:25:17 GMT

Hello,

Thank you for your comment.

The output of the command shows me the following.

Trying to interpret the information correctly, I can assume that if there is no more interesting traffic through the tunnel, the VPN will be down today?

In other words, the tunnel will only "hold" for 1 hour, if it does not see any traffic passing through it?

Is there any way to "extend" this time?

Re: S2S VPN downtime

CaseyB — Tue, 01 Aug 2023 21:25:14 GMT

Looking at this closer with some of my VPNs, the tunnel status is based off two items:

State = "UP" - Means Phase 1 and Phase 2 are proper. Everything should be working.
State = "UP - Phase1" - Means you only have Phase 1 and Phase 2 is not working because of configuration or the IPSec SA has expired, if it has expired, you can bring it to "UP" by generating the interesting traffic to make a new IPSec SA.

The CLI I provided is only giving insight for Phase 2, so once that tunnel has "expired" the tunnel will show "UP - Phase1" until that ages out. I cannot find how to view the expiration for Phase 1 (by default Phase1 is 24hours).

How to extend the time. If you want to keep the tunnel online you can configure permanent tunnels between 2 Check Point firewalls, or with a third-party you can use DPD. You can always add a monitor system to the VPN and just send constant pings across too.

If you mean how to adjust the hour window, you can change those settings within the advanced options of the VPN community you are working with. By default Phase 1 is setup for 1440 minutes (24hours) and Phase 2 is setup for 3600 seconds (1hour), if you change these timers, they need to match on both sides of the VPN tunnel.

Re: S2S VPN downtime

Matlu — Tue, 01 Aug 2023 22:27:54 GMT

Thank you for your response.

So, to keep the VPN "up" (My environment is a VPN against a third party, not Checkpoint), it is advisable for us to enable DPD (As I remember, DPD is disabled by default, right?).

Does DPD affect a particular community, or is it something that affects all the VPNs I have in my GW?

Re: S2S VPN downtime

the_rock — Tue, 01 Aug 2023 23:01:56 GMT

Bro, there is old school way to keep any VPN tunnel up. Just keep constant ping going to something on the other end and that will have tunnel UP all the time...same goes for say vpn client inactivity set. I know its not the best way, but it works. Otherwise, just set DPD method, or permanent tunnel.

Andy

Re: S2S VPN downtime

the_rock — Tue, 01 Aug 2023 23:48:44 GMT

You can also use this script as per below link.

Andy

https://community.checkpoint.com/t5/Scripts/One-liner-to-show-VPN-S2S-tunnels-on-gateway/m-p/150205#M962

Re: S2S VPN downtime

Matlu — Wed, 02 Aug 2023 00:55:07 GMT

Bro,

So, activating DPD for a single community will guarantee me that the tunnel will stay up all the time?

Cheers 🙂

Re: S2S VPN downtime

the_rock — Wed, 02 Aug 2023 01:06:13 GMT

Bro, no offense, I dont even guarantee I will be alive tomorrow LOL

Anyway, yes, DPD means peer is configured for permanent tunnel. Make sure community is set that way too and config is indeed set for such a tunnel.

Andy

Re: S2S VPN downtime

Matlu — Wed, 02 Aug 2023 01:52:22 GMT

Does activating DPD "alter" all the VPNs I have in my GW?

Or can DPD be activated for each community independently?

Re: S2S VPN downtime

the_rock — Wed, 02 Aug 2023 01:54:34 GMT

It can be done independently, but it goes by interoperable object. In R81+, if you set community as permanent tunnel type, it sets object as DPD automatically.

Re: S2S VPN downtime

Matlu — Wed, 02 Aug 2023 14:42:12 GMT

Hello, my friend.

Just so that the concept can be clear to me, Phase 2 of the default VPNs, it is clear that it comes set to 3600 seconds.

This means that if in 1 hour there is no traffic between a Site1 HOST and a Site2 HOST, "visually" the VPN in phase 2 will appear as "down", right?

And I would understand that the VPN in general, if in 1 day, there is no traffic at all, visually, it will also be "down", until traffic is generated again, is my interpretation correct?

Greetings.

Re: S2S VPN downtime

_Val_ — Wed, 02 Aug 2023 14:44:19 GMT

Shortly, no. Phase 2 timer only defines how long the symmetric key is valid. Once it is timed out, it will be renegotiated.

Re: S2S VPN downtime

Matlu — Wed, 02 Aug 2023 15:06:14 GMT

I understand.

What we are looking for, is to have an "idea" of how long is the maximum time that the tunnel can be without traffic crossing through it, so that the VPN visually looks "down".

Is this something that is defined in the configuration of a VPN community?

Re: S2S VPN downtime

the_rock — Wed, 02 Aug 2023 15:57:28 GMT

One of our customers had the same question few years back and we thought it was possible to define it in Guidbedit, but TAC was not successful either, so we never really got an official answer if there was any sort of time that needs to pass by before tunnel is officially considered as down.

You can open a case and ask about it I guess, but I hardly doubt its different.

Andy