AWS to Checkpoint VPN with BGP

ScottG67 — Thu, 12 Aug 2021 13:57:19 GMT

Hello All,

I am running a Checkpoint cluster on R80.40 and I am trying to connect a VPN to AWS with BGP. The AWS side was built by a third party and I am working on getting it verified. I have downloaded the config file from AWS for my version of checkpoint. I have configured it to the letter except for Dead Peer Detection DPD. I do not think I need this to get the tunnel going? I have been using

tcpdump -nni any port 500 or esp and host <enter_peer_ip_here>

to watch the tunnel. I can see phase 1 gets setup and then it fails at phase 2. I say fails loosely as the logs just keep referencing phase 2. It feels a lot like I'm just shooting in the dark as I didn't setup the AWS side and I am not clear on any log locations that might help with this on my firewalls. Are there any techniques that I should be using to troubleshoot this or logs I can look at that might give me some more information? Here are some of the log data that I am seeing now from the command above. I'm not 100% sure what I should be looking for here as I do not have a reference for the log syntax. Really looking for a life line here anything would probably help at this pont.

10:36:32.850496 IP <CheckpointIP>.500 > <AWSIP>.500: isakmp: phase 1 I ident
10:36:32.850499 ethertype IPv4, IP <CheckpointIP>.500 > <AWSIP>.500: isakmp: phase 1 I ident
10:36:32.903517 ethertype IPv4, IP <AWSIP>.500 > <CheckpointIP>.500: isakmp: phase 1 R ident
10:36:32.903517 IP <AWSIP>.500 > <CheckpointIP>.500: isakmp: phase 1 R ident
10:36:32.904001 IP <CheckpointIP>.500 > <AWSIP>.500: isakmp: phase 1 I ident
10:36:32.904003 ethertype IPv4, IP <CheckpointIP>.500 > <AWSIP>.500: isakmp: phase 1 I ident
10:36:32.957669 ethertype IPv4, IP <AWSIP>.500 > <CheckpointIP>.500: isakmp: phase 1 R ident
10:36:32.957669 IP <AWSIP>.500 > <CheckpointIP>.500: isakmp: phase 1 R ident
10:36:32.958607 IP <CheckpointIP>.500 > <AWSIP>.500: isakmp: phase 1 I ident[E]
10:36:32.958609 ethertype IPv4, IP <CheckpointIP>.500 > <AWSIP>.500: isakmp: phase 1 I ident[E]
10:36:33.011620 ethertype IPv4, IP <AWSIP>.500 > <CheckpointIP>.500: isakmp: phase 1 R ident[E]
10:36:33.011620 IP <AWSIP>.500 > <CheckpointIP>.500: isakmp: phase 1 R ident[E]
10:36:33.012570 IP <CheckpointIP>.500 > <AWSIP>.500: isakmp: phase 2/others I oakley-quick[E]
10:36:33.012573 ethertype IPv4, IP <CheckpointIP>.500 > <AWSIP>.500: isakmp: phase 2/others I oakley-quick[E]
10:36:33.016337 ethertype IPv4, IP <AWSIP>.500 > <CheckpointIP>.500: isakmp: phase 2/others R inf[E]
10:36:33.016337 IP <AWSIP>.500 > <CheckpointIP>.500: isakmp: phase 2/others R inf[E]
10:36:33.066342 ethertype IPv4, IP <AWSIP>.500 > <CheckpointIP>.500: isakmp: phase 2/others R oakley-quick[E]
10:36:33.066342 IP <AWSIP>.500 > <CheckpointIP>.500: isakmp: phase 2/others R oakley-quick[E]
10:36:33.067669 IP <CheckpointIP>.500 > <AWSIP>.500: isakmp: phase 2/others I oakley-quick[E]
10:36:33.067671 ethertype IPv4, IP <CheckpointIP>.500 > <AWSIP>.500: isakmp: phase 2/others I oakley-quick[E]
10:36:33.167589 IP <CheckpointIP>.500 > <AWSIP>.500: isakmp: phase 2/others I oakley-quick[E]
10:36:33.167592 ethertype IPv4, IP <CheckpointIP>.500 > <AWSIP>.500: isakmp: phase 2/others I oakley-quick[E]
10:36:33.267595 IP <CheckpointIP>.500 > <AWSIP>.500: isakmp: phase 2/others I oakley-quick[E]
10:36:33.267598 ethertype IPv4, IP <CheckpointIP>.500 > <AWSIP>.500: isakmp: phase 2/others I oakley-quick[E]
10:36:33.367784 IP <CheckpointIP> > <AWSIP>: ESP(spi=0xc71c9dc5,seq=0x1), length 84
10:36:33.367787 ethertype IPv4, IP <CheckpointIP> > <AWSIP>: ESP(spi=0xc71c9dc5,seq=0x1), length 84
10:36:42.654894 ethertype IPv4, IP <AWSIP> > <CheckpointIP>: ESP(spi=0x3e28f919,seq=0x1), length 100
10:36:42.654894 IP <AWSIP> > <CheckpointIP>: ESP(spi=0x3e28f919,seq=0x1), length 100
10:36:42.850114 IP <CheckpointIP> > <AWSIP>: ESP(spi=0xc71c9dc5,seq=0x2), length 84
10:36:42.850117 ethertype IPv4, IP <CheckpointIP> > <AWSIP>: ESP(spi=0xc71c9dc5,seq=0x2), length 84
10:36:43.012425 ethertype IPv4, IP <AWSIP>.500 > <CheckpointIP>.500: isakmp: phase 2/others R inf[E]
10:36:43.012425 IP <AWSIP>.500 > <CheckpointIP>.500: isakmp: phase 2/others R inf[E]

Thanks,

Scott

Re: AWS to Checkpoint VPN with BGP

Blason_R — Mon, 16 Aug 2021 03:20:48 GMT

Two things -

Is this Policy based VPN or Route based VPN?

Have you tried debugging with vpn debug ikeon? have you analyzed the output? Plus if this is a route based enable match directional traffic.

topic Re: AWS to Checkpoint VPN with BGP in SASE and Remote Access

AWS to Checkpoint VPN with BGP

Re: AWS to Checkpoint VPN with BGP

Re: AWS to Checkpoint VPN with BGP