topic Site-to-site vpn Tunnel to a non Checkpoint Gateway in General Topics

Site-to-site vpn Tunnel to a non Checkpoint Gateway

Uwe_Konrad — Thu, 20 Dec 2018 17:31:22 GMT

We have a site-to-site VPN tunnel between our Checkpoint R80.1 Cluster Gateway and an external Site with a Cisco gateway. Since a few hours the tunnel is still there but seems to run in one direction only or somehow not healthy. I see the packes leaving but no real communications is done.

We also have other pure Checkpoint site-to-site tunnels and I can control those using the "user and tunnel management" oder the "vpn tu" util. But those options are not there for a tunnel to a non-checkpoint gateway. How can I reset the tunnel without doing a cpstop of the cluster?

Any advice?

Thanks. Uwe

Re: Site-to-site vpn Tunnel to a non Checkpoint Gateway

Jenni_Guerrica — Thu, 20 Dec 2018 18:25:25 GMT

vpn tu from expert and select your option:

[Expert@FW02:0]# vpn tu

********** Select Option **********

(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

(Q) Quit

*******************************************

Re: Site-to-site vpn Tunnel to a non Checkpoint Gateway

Kim_Moberg — Thu, 20 Dec 2018 18:50:02 GMT

Hi Uwe

I have in my settings to multiple site2site tunnels put ike rekey to 3600 sec (60 minuts) and ipsec rekey to 3600 sec.

I would check ike Phase 1 and ipsec phase 2 are the same.

Also found out to disable dead peer detection (dpd) keepalive on Cisco router/firewall

I often use from expert mode ssh to gwcluster active node or cluster ip addr

vpn tu

To reset vpn tunnel I use option 7

Check if IKE phase 1 have been establish option 3

Check if Ipsec phase 2 have been establish option 4

To check tunnel list

vpn tu tlist -p <remote peer address>

I hope that could help your search for help

Best regards

Kim

Re: Site-to-site vpn Tunnel to a non Checkpoint Gateway

Kim_Moberg — Thu, 20 Dec 2018 18:56:28 GMT

Heiko Ankenbrand did provide a great hint to to use vpn tu via commandline.

https://community.checkpoint.com/docs/DOC-3021-show-vpn-routing-on-cli

Commands are:

vpn tu del ipsec all

vpn tu del ipsec ip-addr

vpn tu del ipsec ip-addr username

vpn tu del all

vpn tu del ip-addr

vpn tu del ip-addr username

I use this Command quite often on daily basis

vpn shell show tunnels ipsec all | grep “<ip address or any info I would like to search for >”

Re: Site-to-site vpn Tunnel to a non Checkpoint Gateway

Uwe_Konrad — Fri, 21 Dec 2018 07:15:04 GMT

Thanks, the syntax with those 3 characters had to be considered, that was my fault!

Re: Site-to-site vpn Tunnel to a non Checkpoint Gateway

Uwe_Konrad — Fri, 21 Dec 2018 07:33:23 GMT

Thanks, great help! There are different tunnels for the different subnetwork pairs shown. Some show i1 .. i5 and other only i1 .. i2? But this changes frequently. Tunnels seem to be OK now. Merry Xmas.

Re: Site-to-site vpn Tunnel to a non Checkpoint Gateway

Uwe_Konrad — Fri, 21 Dec 2018 07:39:00 GMT

I checked the settings: IKE Phase 1 is set to 1.440 min and IPsec to 28.800 seconds, so are not equal and quite large. Could that cause problems?

Re: Site-to-site vpn Tunnel to a non Checkpoint Gateway

Kim_Moberg — Fri, 21 Dec 2018 10:08:19 GMT

Remember timing is your friend.

Make you date and time is correct in both ends.

Secondly check ike rekey is the same as remote peer

Third check ipsec rekey also is the same as remote peer

If for example the check point firewall rekey is every 86400 sec and remote wants to rekey every 28800 the rekey is not in time and sync. Yes I belive this is the reason why it might stop working and you need to reset vpn tunnel.

Merry Christmas

Kim

Re: Site-to-site vpn Tunnel to a non Checkpoint Gateway

Uwe_Konrad — Fri, 21 Dec 2018 10:22:06 GMT

Thanks a lot, what a great help!

I will change this to have it in sync! But do I have to change those settings at both sites? The remote (Cisco) device is operated by a partner institution and I personally have no access to it at the moment.

Re: Site-to-site vpn Tunnel to a non Checkpoint Gateway

Timothy_Hall — Fri, 21 Dec 2018 13:55:51 GMT

How large they are does not matter, what does matter is that they match between the Check Point settings and the Cisco settings or you will get intermittent tunnel failures. Note that the Phase 1 timer is expressed by Check Point in minutes, while the Phase 2 timer is expressed in seconds. Most other vendors express both values in seconds so watch out for that.

Other things that can cause intermittent interoperable tunnel failures are data lifesizes and VPN idle timers, make sure these are disabled or set to unreachably high values on the Cisco. Basically anything that causes the tunnel to be brought down early prior to expiration of the SA lifetimes will cause a tunnel hang because the "Delete SA" mechanism does not work reliably in an interoperable VPN scenario.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: Site-to-site vpn Tunnel to a non Checkpoint Gateway

Timothy_Hall — Fri, 21 Dec 2018 15:25:15 GMT

The SA lifetimes (timers) are required on both sides and must be set. Data Lifesizes are off by default on Check Point (but can be enabled via file editing) so it is generally easier to turn them off on the Cisco. Check Point does not support a VPN idle timer for site-to-site VPNs.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Re: Site-to-site vpn Tunnel to a non Checkpoint Gateway

Uwe_Konrad — Sun, 23 Dec 2018 13:36:01 GMT

Yes, I have put the settings of both sides to equal values. Eveything runs smooth and fine now. Thanks to all of you , I will come back for help if needed! Merry Christmas.May be some tome I will have hints for other newbees... Uwe