This website uses cookies. By browsing this website, you consent to the use of cookies. Learn more.
OK
ABOUT CHECKMATES & FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Help
Noah_T
Noah_T
Iron
‎2019-04-08 05:49 PM

Checkpoint S2S VPN with AWS Virtual Private Gateway

I have a Checkpoint SG 4600 cluster with GAIA R77.30. Trying to establish a site to site vpn tunnel with AWS Virtual Private Gateway. I have a Domain based vpn setup on my end with an Inbound policy rule ( Meaning a server in AWS initiates a connection to a server in our network ) .  On the day of deployment when they initiated the traffic the tunnel did not come up and I did not see any negotiations happening ( Did not see any IKE 500 packets coming to our network border router/Firewall, did not see any Key Install messages in Smart View Tracker ). AWS was unable to provide me any logs as it has been said that AWS Virtual Private Gateway is always configured to be as a "Responder" but not as a "Initiator" of the tunnel and hence they do not see any logs. 

Is there any way I can configure checkpoint gateway to be the initiator of the tunnel ?

0 Kudos
Reply
6 Replies
Maarten_Sjouw
Maarten_Sjouw
Jade
‎2019-04-09 03:18 AM

Re: Checkpoint S2S VPN with AWS Virtual Private Gateway

When the tunnel is created on the AWS side there is a question which gateway is used at the other end, when you supply Check Point as a response you will get a text file with all instructions how to build the 2 tunnels, as by default they build 2 tunnels.
Regards, Maarten
0 Kudos
Reply
Gaurav_Pandya
Gaurav_Pandya
Gold
‎2019-04-09 03:31 AM

Re: Checkpoint S2S VPN with AWS Virtual Private Gateway

Hi,

May be below thread will be helpful.

https://community.checkpoint.com/t5/Remote-Access-Solutions/Azure-Site-to-Site-VPn-fail/m-p/49783#M1...

0 Kudos
Reply
Noah_T
Noah_T
Iron
‎2019-04-09 05:05 AM

Re: Checkpoint S2S VPN with AWS Virtual Private Gateway

I have configured the tunnel on Checkpoint gateway but how do we know which device behaves as an "Initiator" ? AWS Virtual Private Gateway can act only as "Responder" and I cannot trigger any traffic from my network as this is only inbound traffic to us ( from AWS to our network ) ?

0 Kudos
Reply
Gaurav_Pandya
Gaurav_Pandya
Gold
‎2019-04-09 05:21 AM

Re: Checkpoint S2S VPN with AWS Virtual Private Gateway

Hi,

You have to generate some interesting traffic to check this. Run the VPN debug and analyze ike.elg file on IKE info viewer tool, you will come to know which gateway initiates the traffic from first packet.

0 Kudos
Reply
Maarten_Sjouw
Maarten_Sjouw
Jade
‎2019-04-09 05:23 AM

Re: Checkpoint S2S VPN with AWS Virtual Private Gateway

When you set the tunnel as Permanent in the community configuration and set the tunnel per subnet, the tunnel will be initiated from your end.
Regards, Maarten
0 Kudos
Reply
Maarten_Sjouw
Maarten_Sjouw
Jade
‎2019-04-09 07:00 AM

Re: Checkpoint S2S VPN with AWS Virtual Private Gateway

also check this post: https://community.checkpoint.com/t5/General-Topics/Route-Based-VPN/m-p/34463?advanced=false&author_i...
Regards, Maarten
0 Kudos
Reply