topic Re: Informational Exchange Received Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada in General Topics

Informational Exchange Received Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada

SinisaZG — Thu, 05 Dec 2024 13:06:41 GMT

Site-to-Site IPSec between Check Point and 3rd Party Gateway: Sophos

Issue is present on VSX deployment on one Virtual System

We've checked the policy several times, and there is no issues like lifetime mismatch, etc...

VPN Tunnel is up but we keep receiving errors:

Informational Exchange Received: Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada

Tunnel with IKEv1 is up, with IKEv2 is down with error:

Quick Mode Failed to match proposal: Transform: AES-256, SHA1, Group 2 (1024 bit), Tunnel; Reason: Wrong value for: Key Length

DPD Responder Mode:is enabled

"Note: The DPD mechanism is based on IKE SA keys. In some situations, the Check Point Security Gateway deletes IKE SAs, and a VPN peer, usually a 3rd Party gateway, sends DPD requests and does not receive a response. As a result, the VPN peer concludes that the Check Point Security Gateway is down. The VPN peer can then delete the IKE and IPsec keys, which causes encrypted traffic from the Check Point Security Gateway to be dropped by the remote peer."

In SmartConsole
click Menu > Global properties > Advanced > Configure
Click VPN Advanced Properties > VPN IKE properties.
Select keep_IKE_SAs.
Click OK.
Install the Access Control Policy. - this is already enable

Should I try to change the settings with GuiDBEdit Tool?

DPD responder mode
Permanent tunnel mode based on DPD

___________________________________________________________________

I have no experience in working with DPD and I need someone who can help me with that.

Am I even looking in the right direction?

Many thanks!

Re: Informational Exchange Received Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada

the_rock — Thu, 05 Dec 2024 13:26:42 GMT

Hey @SinisaZG

What version is this? I ask, because I believe back in R80.40, when permanent tunnel option is enabled in vpn community, there is no need to change anything in guidbedit for dpd and Im referring to below.

Andy

Re: Informational Exchange Received Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada

SinisaZG — Thu, 05 Dec 2024 13:36:53 GMT

Sorry I I forgot to put the version. R81.20, Take 76.

The settings are the same as yours.

Re: Informational Exchange Received Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada

the_rock — Thu, 05 Dec 2024 13:43:05 GMT

On your CP object participating in the vpn tunnel, IF its set to permant tunnel as below, then guidbedit should say dpd, NOT tunnel test.

Andy

Re: Informational Exchange Received Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada

SinisaZG — Thu, 05 Dec 2024 14:10:40 GMT

I tried that already... same error.

Re: Informational Exchange Received Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada

Timothy_Hall — Thu, 05 Dec 2024 14:12:01 GMT

Are you sure the Sophos is not set for AES-256-GCM in Phase 2? Not the same as AES-256. As a test try setting P2 to AES-128 and see what happens.

Re: Informational Exchange Received Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada

the_rock — Thu, 05 Dec 2024 14:13:51 GMT

I would make sure both cp object AND interoperable are set to dpd and same in the community and then install policy and test. If same issue, then run basic vpn debug and see what shows up on the other end.

I would also confirm 100% phase 2 settings do indeed match on both sides.

vpn debug trunc

vpn debug ikeon

-replicate the issue

vpn debug ikeoff

disable debug -> fw ctl debug 0

get ike* and vpnd* files from $FWDIR/log dir

Andy

Re: Informational Exchange Received Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada

SinisaZG — Thu, 05 Dec 2024 14:14:23 GMT

Yep, I am sure that settings are the same. Already tried with AES-128.

Re: Informational Exchange Received Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada

the_rock — Thu, 05 Dec 2024 14:17:39 GMT

See if either of below helps.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Informational-Exchange-Received-Delete-IKE-SA-from-Peer-xx-xx-xx/td-p/61000

https://support.checkpoint.com/results/sk/sk13836

https://community.checkpoint.com/t5/Security-Gateways/VPN-Check-Point-Palo-Alto-issue/m-p/220276#M42146

Re: Informational Exchange Received Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada

SinisaZG — Thu, 05 Dec 2024 17:01:10 GMT

100% phase 2 settings do indeed match on both sides - checked several times.

VPN: 'iked' is disabled. or vpn: Address 'X.X.X.X' is not handled by any IKED daemon

I will create a TAC case for this, thanks for help.

Re: Informational Exchange Received Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada

SinisaZG — Thu, 05 Dec 2024 17:03:24 GMT

I will create a TAC case for this, thanks for help.

Re: Informational Exchange Received Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada

the_rock — Thu, 05 Dec 2024 17:39:52 GMT

Happy to do remote if you are allowed to, let me know.

Andy