cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Noah_T
Iron

Checkpoint S2S VPN with AWS Virtual Private Gateway

I have a Checkpoint SG 4600 cluster with GAIA R77.30. Trying to establish a site to site vpn tunnel with AWS Virtual Private Gateway. I have a Domain based vpn setup on my end with an Inbound policy rule ( Meaning a server in AWS initiates a connection to a server in our network ) .  On the day of deployment when they initiated the traffic the tunnel did not come up and I did not see any negotiations happening ( Did not see any IKE 500 packets coming to our network border router/Firewall, did not see any Key Install messages in Smart View Tracker ). AWS was unable to provide me any logs as it has been said that AWS Virtual Private Gateway is always configured to be as a "Responder" but not as a "Initiator" of the tunnel and hence they do not see any logs. 

Is there any way I can configure checkpoint gateway to be the initiator of the tunnel ?

0 Kudos
6 Replies

Re: Checkpoint S2S VPN with AWS Virtual Private Gateway

When the tunnel is created on the AWS side there is a question which gateway is used at the other end, when you supply Check Point as a response you will get a text file with all instructions how to build the 2 tunnels, as by default they build 2 tunnels.
Regards, Maarten
0 Kudos

Re: Checkpoint S2S VPN with AWS Virtual Private Gateway

0 Kudos
Noah_T
Iron

Re: Checkpoint S2S VPN with AWS Virtual Private Gateway

I have configured the tunnel on Checkpoint gateway but how do we know which device behaves as an "Initiator" ? AWS Virtual Private Gateway can act only as "Responder" and I cannot trigger any traffic from my network as this is only inbound traffic to us ( from AWS to our network ) ?

0 Kudos

Re: Checkpoint S2S VPN with AWS Virtual Private Gateway

Hi,

You have to generate some interesting traffic to check this. Run the VPN debug and analyze ike.elg file on IKE info viewer tool, you will come to know which gateway initiates the traffic from first packet.

0 Kudos

Re: Checkpoint S2S VPN with AWS Virtual Private Gateway

When you set the tunnel as Permanent in the community configuration and set the tunnel per subnet, the tunnel will be initiated from your end.
Regards, Maarten
0 Kudos

Re: Checkpoint S2S VPN with AWS Virtual Private Gateway

0 Kudos