Informational Exchange Received Delete IPSEC-SA fr...

SinisaZG · ‎2024-12-05

Site-to-Site IPSec between Check Point and 3rd Party Gateway: Sophos

Issue is present on VSX deployment on one Virtual System

We've checked the policy several times, and there is no issues like lifetime mismatch, etc...

VPN Tunnel is up but we keep receiving errors:

Informational Exchange Received: Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada

Tunnel with IKEv1 is up, with IKEv2 is down with error:

Quick Mode Failed to match proposal: Transform: AES-256, SHA1, Group 2 (1024 bit), Tunnel; Reason: Wrong value for: Key Length

DPD Responder Mode:is enabled

"Note: The DPD mechanism is based on IKE SA keys. In some situations, the Check Point Security Gateway deletes IKE SAs, and a VPN peer, usually a 3rd Party gateway, sends DPD requests and does not receive a response. As a result, the VPN peer concludes that the Check Point Security Gateway is down. The VPN peer can then delete the IKE and IPsec keys, which causes encrypted traffic from the Check Point Security Gateway to be dropped by the remote peer."

In SmartConsole
click Menu > Global properties > Advanced > Configure
Click VPN Advanced Properties > VPN IKE properties.
Select keep_IKE_SAs.
Click OK.
Install the Access Control Policy. - this is already enable

Should I try to change the settings with GuiDBEdit Tool?

DPD responder mode
Permanent tunnel mode based on DPD

___________________________________________________________________

I have no experience in working with DPD and I need someone who can help me with that.

Am I even looking in the right direction?

Many thanks!

the_rock · ‎2024-12-05

Hey @SinisaZG

What version is this? I ask, because I believe back in R80.40, when permanent tunnel option is enabled in vpn community, there is no need to change anything in guidbedit for dpd and Im referring to below.

Andy

SinisaZG · ‎2024-12-05

Sorry I I forgot to put the version. R81.20, Take 76.

The settings are the same as yours.

the_rock · ‎2024-12-05

On your CP object participating in the vpn tunnel, IF its set to permant tunnel as below, then guidbedit should say dpd, NOT tunnel test.

Andy

SinisaZG · ‎2024-12-05

I tried that already... same error.

the_rock · ‎2024-12-05

I would make sure both cp object AND interoperable are set to dpd and same in the community and then install policy and test. If same issue, then run basic vpn debug and see what shows up on the other end.

I would also confirm 100% phase 2 settings do indeed match on both sides.

vpn debug trunc

vpn debug ikeon

-replicate the issue

vpn debug ikeoff

disable debug -> fw ctl debug 0

get ike* and vpnd* files from $FWDIR/log dir

Andy

SinisaZG · ‎2024-12-05

100% phase 2 settings do indeed match on both sides - checked several times.

VPN: 'iked' is disabled. or vpn: Address 'X.X.X.X' is not handled by any IKED daemon

I will create a TAC case for this, thanks for help.

Timothy_Hall · ‎2024-12-05

Are you sure the Sophos is not set for AES-256-GCM in Phase 2? Not the same as AES-256. As a test try setting P2 to AES-128 and see what happens.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

SinisaZG · ‎2024-12-05

Yep, I am sure that settings are the same. Already tried with AES-128.

the_rock · ‎2024-12-05

See if either of below helps.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Informational-Exchange-Received-Delete-IKE-SA-...

https://support.checkpoint.com/results/sk/sk13836

https://community.checkpoint.com/t5/Security-Gateways/VPN-Check-Point-Palo-Alto-issue/m-p/220276#M42...

SinisaZG · ‎2024-12-05

I will create a TAC case for this, thanks for help.

the_rock · ‎2024-12-05

Happy to do remote if you are allowed to, let me know.

Andy

Are you a member of CheckMates?

Informational Exchange Received Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada