This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Noah_T
Participant
‎2019-04-08 05:49 PM

Checkpoint S2S VPN with AWS Virtual Private Gateway

I have a Checkpoint SG 4600 cluster with GAIA R77.30. Trying to establish a site to site vpn tunnel with AWS Virtual Private Gateway. I have a Domain based vpn setup on my end with an Inbound policy rule ( Meaning a server in AWS initiates a connection to a server in our network ) .  On the day of deployment when they initiated the traffic the tunnel did not come up and I did not see any negotiations happening ( Did not see any IKE 500 packets coming to our network border router/Firewall, did not see any Key Install messages in Smart View Tracker ). AWS was unable to provide me any logs as it has been said that AWS Virtual Private Gateway is always configured to be as a "Responder" but not as a "Initiator" of the tunnel and hence they do not see any logs. 

Is there any way I can configure checkpoint gateway to be the initiator of the tunnel ?

0 Kudos
6 Replies
Maarten_Sjouw
Champion
Champion
‎2019-04-09 03:18 AM

When the tunnel is created on the AWS side there is a question which gateway is used at the other end, when you supply Check Point as a response you will get a text file with all instructions how to build the 2 tunnels, as by default they build 2 tunnels.
Regards, Maarten
0 Kudos
Gaurav_Pandya
Advisor
‎2019-04-09 03:31 AM

Hi,

May be below thread will be helpful.

https://community.checkpoint.com/t5/Remote-Access-Solutions/Azure-Site-to-Site-VPn-fail/m-p/49783#M1...

0 Kudos
Noah_T
Participant
‎2019-04-09 05:05 AM
In response to Gaurav_Pandya

I have configured the tunnel on Checkpoint gateway but how do we know which device behaves as an "Initiator" ? AWS Virtual Private Gateway can act only as "Responder" and I cannot trigger any traffic from my network as this is only inbound traffic to us ( from AWS to our network ) ?

0 Kudos
Gaurav_Pandya
Advisor
‎2019-04-09 05:21 AM
In response to Noah_T

Hi,

You have to generate some interesting traffic to check this. Run the VPN debug and analyze ike.elg file on IKE info viewer tool, you will come to know which gateway initiates the traffic from first packet.

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-04-09 05:23 AM
In response to Noah_T

When you set the tunnel as Permanent in the community configuration and set the tunnel per subnet, the tunnel will be initiated from your end.
Regards, Maarten
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-04-09 07:00 AM
In response to Maarten_Sjouw

also check this post: https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN/m-p/34463?advanced=false&author_i...
Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events