topic Re: IPSEC VPN in General Topics

IPSEC VPN

JonWilliams — Wed, 21 Feb 2024 14:24:20 GMT

Hi,

Setup a site to site vpn to third party (amazonaws) from our CP R81.20 but the tunnel is not coming up.

initiating traffic on our back end, i can see on the tcpdump ext int that we are sending a isakmp and receive 1 back but thats where it stops. Tunnel does not come up

Any ideas please ?

IP xxxxxxx.co.uk.isakmp > xxxxxxxxxxxx.amazonaws.com.isakmp: isakmp: parent_sa ikev2_init[I]

IPxxxxxxxxxxxamazonaws.com.isakmp > xxxxxxxxx.co.uk.isakmp: isakmp: parent_sa ikev2_init[R]

Re: IPSEC VPN

the_rock — Wed, 21 Feb 2024 14:43:18 GMT

Hey,

Are you using numbered or unnumbered vti's? Set as permanent tunnel? Mesage me offline, happy to do remote if you allow it. Im fairly experienced with Azure VPN tunnels, though have done couple with AWS as well.

Best,

Andy

Re: IPSEC VPN

JonWilliams — Wed, 21 Feb 2024 15:08:05 GMT

Hi,

It is just setup as a site to site vpn, we do not use vti's on our CP

Thanks

Re: IPSEC VPN

the_rock — Wed, 21 Feb 2024 15:11:07 GMT

Okay..is it set as permanent tunnel via community object tunnel management or no? How do you have below configured?

Andy

Re: IPSEC VPN

G_W_Albrecht — Wed, 21 Feb 2024 15:11:34 GMT

And which documentation did you follow when configuring the S2S VPN ?

Re: IPSEC VPN

JonWilliams — Wed, 21 Feb 2024 15:16:34 GMT

Hi,

Set Permanent is not ticked and vpn tunnel sharing is "one vpn tunnel per subnet pair"

Re: IPSEC VPN

JonWilliams — Wed, 21 Feb 2024 15:18:09 GMT

Hi,

I just followed the phase 1 and 2 proposals set by the third party. Sorry im not great on CP.

If the third party use vti im guessing that would not be an issue if we dont ?

Rgds,

Re: IPSEC VPN

the_rock — Wed, 21 Feb 2024 15:23:32 GMT

Thats fine, dont worry, we are here to help! Put it this way, for route based VPN, you need VTI. Have a look at my post below, I know its about Azure, but I explained it the best I could. Happy to do remote if you allow that, not an issue. I really feel I could help you with it.

Best,

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufExTTjlYV1FXMUlGQVNMfDIwNjE3OXxTVUJTQ1JJUFRJT05TfGhL#M38950

Re: IPSEC VPN

the_rock — Wed, 21 Feb 2024 15:25:15 GMT

Ok, no problem. All debug shows is that you guys are I as initiator, and AWS is R, as in responder, but clearly config is not matching somewhere, as even phase 1 does not seem to be working.

Andy

Re: IPSEC VPN

the_rock — Wed, 21 Feb 2024 17:09:52 GMT

Did you also do simple vpn debug?

vpn debug trunc

vpn debug ikeon

-try generate some traffic

vpn debug ikeoff (after 2-3 mins)

Look for ike and vpnd files in $FWDIR.log dir

Get them off the fw and examine for any relevant IPs, or you can simply grep -i from ssh as well

ie from expert mode -> grep -i 2.3.4.5 vpnd.elg (just replace 2.3.4.5 with actual peer external IP)

Best,

Andy