cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Enable DPD on R80.20

Hi everyone,

I have upgraded R77.30 to R80.20 recently and I am new with R80.20 , I have 20  IPsec Tunnel terminated to my cluster firewalls and here is my question:

1-there is an issue on one IPsec tunnel with 3rd party and I need to enable DPD mode ( the tunnel is not permanent) so if I enable DPD mode is there any impact to other tunnels?

and here is the tunnel config:

IKEv1

Phase 1

AES-256

SHA-256

DH:Group5

Renegotiation IKE security  1440 minutes

appreciate if someone can assist me to resolve the issue

9 Replies
Admin
Admin

Re: enable DPD on R80.20

If I understand the documentation correctly, you can only use one monitoring method (DPD or Tunnel Test) per gateway.

0 Kudos

Re: enable DPD on R80.20

Hi Dameon,

as far as I know DPD is not enabled on gateways and Keep_IKE-SAs is not checked so what do you suggest ?

0 Kudos
Admin
Admin

Re: enable DPD on R80.20

DPD is not enabled by default, that much I know. 

I'll have to confirm my understanding with R&D.

You may also want to check with the TAC as well. 

How To Open a Case with TAC and/or Account Services

Re: enable DPD on R80.20

Hi Dameon,

do you have any update from your R&D team? if I enable DPD does it have any impact to existing IPsec tunnels?

0 Kudos
Admin
Admin

Re: enable DPD on R80.20

To clarify, the setting controls the method the given gateway can be probed by (Tunnel Test or DPD).

A given gateway can be probed by one or the other, not both.

If you configure the remote gateway object to use DPD and the others in the community remain set to Tunnel Test, your gateway will probe the remote gateway with DPD and the others will use Tunnel Test.

Which I think is what you're after.

Re: enable DPD on R80.20

Thanks Dameon for your reply

so in this case are the following steps are correct?

1- enable "keep_IKE_SAs " from smart dashboard , global properties , Advanced VPN configuration and then push the policy

2-  Backup the Check Point Registry:

 [Expert@HostName:0]# cp -v $CPDIR/registry/HKLM_registry.data $CPDIR/registry/HKLM_registry.data_ORIGINAL  

 [Expert@HostName:0]# ckp_regedit -a SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload -n 1 

 [Expert@HostName:0]# cpstop ; cpstart

or just step 1 is enough?

0 Kudos
Admin
Admin

Re: enable DPD on R80.20

I believe you need to do both.

That's in addition to setting the tunnel_keepalive_method property in the remote object to dpd, of course.

Re: enable DPD on R80.20

We have a similar issue in that our 3rd parties remote gateways intermittently drop because our local peer (gateway) is apparently not responding to DPD requests.

All our 3rd party vpn's are not Checkpoint so to enable our end to respond to DPD requests do we need to edit the peer gateway object in guidbedit and will this require a restart of just the Management station or the gateway as well?

Thanks

0 Kudos
Admin
Admin

Re: enable DPD on R80.20

If a particular gateway requires the use of DPD, then you must use guidbedit to edit the object of the remote gateway that requires it.
This requires a policy installation on your gateway to take effect and does not require a restart of either the management or gateway.
0 Kudos