topic Re: 2 Checkpoint gateways, 1 SMS, site to site VPN ike failure in SASE and Remote Access

2 Checkpoint gateways, 1 SMS, site to site VPN ike failure

KWD — Thu, 15 Aug 2019 22:36:23 GMT

Hello,

I am trying to connect a new (remote location) 3200 to an existing Checkpoint infrastructure consisting of 1 SMS and 2-12400 gateways in a cluster. All devices are 80.20. We have setup an site to site vpn. SIC connects, and when we push policies to the new 3200, it is successful. But we only get Up Phase 1 IKE from the 12400 to the 3200. I have looked through assorted documentation, but have not found a solution. Where do I start or what could the problem be.

VPN tu on the remote 3200 for List all IKE SAs says, "No data to display".

VPN tu on the 12400 for List all IKE SAs has 4 different SAs for the 3200 peer.

Thanks

Re: 2 Checkpoint gateways, 1 SMS, site to site VPN ike failure

peter_schumache — Fri, 16 Aug 2019 06:13:18 GMT

First look for rejects in your log file saying "no valid SA found"

Then on your active 12400 member do at bash level:

cd $FWDIR/log

vpn debug on

vpn debug ikeon

try to connect through the vpn from a device in your encryption domain

vpn debug ikeoff

vpn debug off

Now get the file $FWDIR/log/ike.elg to your PC

Open it using the IKEVIEW utility

Look for the entries for your VPN Gateway

I'm pretty sure you'll see the cause for your problems

Common causes for missing SAs are:

wrong (internal) IP used in general tab of gateway object

Rulebase not allowing IPsec communication between gateways

hth