This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JonWilliams
Explorer
‎2024-02-21 06:24 AM

IPSEC VPN

Hi,

 

Setup a site to site vpn to third party (amazonaws) from our CP R81.20 but the tunnel is not coming up.

 

initiating traffic on our back end, i  can see on the tcpdump ext int that we are sending a isakmp and receive 1 back but thats where it stops. Tunnel does not come up 

 

Any ideas please ?

 

IP xxxxxxx.co.uk.isakmp > xxxxxxxxxxxx.amazonaws.com.isakmp: isakmp: parent_sa ikev2_init[I]

 IPxxxxxxxxxxxamazonaws.com.isakmp > xxxxxxxxx.co.uk.isakmp: isakmp: parent_sa ikev2_init[R]

 

 

0 Kudos
9 Replies
the_rock
Legend
Legend
‎2024-02-21 06:43 AM

Hey,

Are you using numbered or unnumbered vti's? Set as permanent tunnel? Mesage me offline, happy to do remote if you allow it. Im fairly experienced with Azure VPN tunnels, though have done couple with AWS as well.

Best,

Andy

0 Kudos
JonWilliams
Explorer
‎2024-02-21 07:08 AM
In response to the_rock

Hi,

 

It is just setup as a site to site vpn, we do not use vti's on our CP

 

Thanks

0 Kudos
the_rock
Legend
Legend
‎2024-02-21 07:11 AM
In response to JonWilliams

Okay..is it set as permanent tunnel via community object tunnel management or no? How do you have below configured?

Andy

 

Screenshot_1.png

0 Kudos
JonWilliams
Explorer
‎2024-02-21 07:16 AM
In response to the_rock

Hi,

 

Set Permanent is not ticked and vpn tunnel sharing is "one vpn tunnel per subnet pair"

0 Kudos
the_rock
Legend
Legend
‎2024-02-21 07:25 AM
In response to JonWilliams

Ok, no problem. All debug shows is that you guys are I as initiator, and AWS is R, as in responder, but clearly config is not matching somewhere, as even phase 1 does not seem to be working.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-02-21 09:09 AM
In response to JonWilliams

Did you also do simple vpn debug?

vpn debug trunc

vpn debug ikeon

-try generate some traffic

vpn debug ikeoff (after 2-3 mins)

Look for ike and vpnd files in $FWDIR.log dir

Get them off the fw and examine for any relevant IPs, or you can simply grep -i from ssh as well

ie from expert mode -> grep -i 2.3.4.5 vpnd.elg (just replace 2.3.4.5 with actual peer external IP)

Best,

Andy

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2024-02-21 07:11 AM
In response to JonWilliams

And which documentation did you follow when configuring the S2S VPN ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
JonWilliams
Explorer
‎2024-02-21 07:18 AM
In response to G_W_Albrecht

Hi,

 

I just followed the phase 1 and 2 proposals set by the third party. Sorry im not great on CP.

 

If the third party use vti im guessing that would not be an issue if we dont ?

Rgds,

 

 

0 Kudos
the_rock
Legend
Legend
‎2024-02-21 07:23 AM
In response to JonWilliams

Thats fine, dont worry, we are here to help! Put it this way, for route based VPN, you need VTI. Have a look at my post below, I know its about Azure, but I explained it the best I could. Happy to do remote if you allow that, not an issue. I really feel I could help you with it.

Best,

Andy

 

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top