- Products
- Learn
- Local User Groups
- Partners
- More
What's New in R82.10?
Watch HereWhen the Agents Attack
A Live Look at Agentic Exposure Validation
AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
CheckMates Fest
Hi everyone,
We currently have the problem that an IPsec connection between two Windows servers is not working due to our Checkpoint Maestro Cluster. If we hang the server in front of the Checkpoint, the IPsec works without a problem, has anyone here had any experience with this?
In Wireshark I see many Identity Protection (Main Mode) packets in a row. There are also a lot of "Unknown packets" (243,244,246)
No NAT is active on our firewall and we have no other VPN tunnels running
Could this be a MTU/MSS problem?
Thank you for your help!
Paul
Hey Paul,
If you do vpn tu and check option to list the tunnel by phase 1 or 2, option 3 and 4, what do you see?
[Expert@CP-GW:0]# vpn tu
********** Select Option **********
(1) List all IKE SAs
(2) * List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) * List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
* To list data for a specific CoreXL instance, append "-i <instance number>" to your selection.
(Q) Quit
*******************************************
Also, what if you try below?
vpn tu list peer_ike peer-ip and same command with peer_ipsec
Alternatively, do basic debug:
vpn debug trunc
vpn debug ikeon
-generate traffic
vpn debug ikeoff
Check vpnd and iked files in $FWDIR/log dir
Andy
Hi @the_rock
sorry for the late reply, I was on vacation.
unfortunately, this is not a VPN tunnel on the checkpoint itself, but IPsec encrypted traffic between two servers with the checkpoint in between. There are no VPN tunnels running on the Checkpoint itself.
Paul
K, no worries. Hope you had nice vacation : - )
Anyway, in that case, all you need to make sure is that CP is allowing the traffic to pass through, thats it.
Andy
Thank you, everything was fine!
We have a firewall rule that allows all traffic, everything is also allowed in the log. However, no connection is established when testing. If we put the server in front of the checkpoint so that it no longer takes over the routing, everything works.
Paul
Do you even see phase 1 form or nothing at all?
Andy
Is the IPsec VPN blade enabled here?
I know this VPN is not terminating in the device, but I know IPsec code is handled as part of Implied Rules and something may be causing an issue.
I suspect TAC may be necessary to troubleshoot.
You see any drops on the Maestro firewalls?
fw ctl zdebug + drop | grep <IP>
What version? cpinfo -y all
What ports have you allowed? Think of: ESP, ike 500 upd-4500
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 66 | |
| 19 | |
| 8 | |
| 7 | |
| 6 | |
| 4 | |
| 4 | |
| 4 | |
| 3 | |
| 2 |
Thu 02 Jul 2026 @ 06:00 PM (CST)
Revolucionando la Seguridad con IA Generativa: Prevención Inteligente en Tiempo RealThu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASETue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeThu 02 Jul 2026 @ 06:00 PM (CST)
Revolucionando la Seguridad con IA Generativa: Prevención Inteligente en Tiempo RealAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY