This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SinisaZG
Contributor
Contributor
‎2024-12-05 05:06 AM

Informational Exchange Received Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada

Site-to-Site IPSec between Check Point and 3rd Party Gateway: Sophos

Issue is present on VSX deployment on one Virtual System

We've checked the policy several times, and there is no issues like lifetime mismatch, etc...

 

VPN Tunnel is up but we keep receiving errors:

Informational Exchange Received: Delete IPSEC-SA from Peer: X.X.X.X; SPIs: 00003ada

Tunnel with IKEv1 is up, with IKEv2 is down with error:

Quick Mode Failed to match proposal: Transform: AES-256, SHA1, Group 2 (1024 bit), Tunnel; Reason: Wrong value for: Key Length

 

DPD Responder Mode:is enabled

"Note: The DPD mechanism is based on IKE SA keys. In some situations, the Check Point Security Gateway deletes IKE SAs, and a VPN peer, usually a 3rd Party gateway, sends DPD requests and does not receive a response. As a result, the VPN peer concludes that the Check Point Security Gateway is down. The VPN peer can then delete the IKE and IPsec keys, which causes encrypted traffic from the Check Point Security Gateway to be dropped by the remote peer."

 

  1. In SmartConsole

    click Menu > Global properties > Advanced > Configure

  2. Click VPN Advanced Properties > VPN IKE properties.

  3. Select keep_IKE_SAs.

  4. Click OK.

  5. Install the Access Control Policy. - this is already enable

 

Should I try to  change the settings with GuiDBEdit Tool?

  • DPD responder mode

  • Permanent tunnel mode based on DPD

___________________________________________________________________

I have no experience in working with DPD and I need someone who can help me with that.

Am I even looking in the right direction?

 

Many thanks!

 

 

 

 

0 Kudos
11 Replies
the_rock
MVP Diamond
MVP Diamond
‎2024-12-05 05:26 AM

Hey @SinisaZG 

What version is this? I ask, because I believe back in R80.40, when permanent tunnel option is enabled in vpn community, there is no need to change anything in guidbedit for dpd and Im referring to below.

Andy

Screenshot_1.png

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
SinisaZG
Contributor
Contributor
‎2024-12-05 05:36 AM
In response to the_rock

Sorry I I forgot to put the version. R81.20, Take 76.

The settings are the same as yours.

 

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-12-05 05:43 AM
In response to SinisaZG

On your CP object participating in the vpn tunnel, IF its set to permant tunnel as below, then guidbedit should say dpd, NOT tunnel test.

Andy

 

Screenshot_1.png

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
SinisaZG
Contributor
Contributor
‎2024-12-05 06:10 AM
In response to the_rock

I tried that already... same error.

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-12-05 06:12 AM
In response to SinisaZG

I would make sure both cp object AND interoperable are set to dpd and same in the community and then install policy and test. If same issue, then run basic vpn debug and see what shows up on the other end.

I would also confirm 100% phase 2 settings do indeed match on both sides.

vpn debug trunc

vpn debug ikeon

-replicate the issue

vpn debug ikeoff

disable debug -> fw ctl debug 0

get ike* and vpnd* files from $FWDIR/log dir

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
SinisaZG
Contributor
Contributor
‎2024-12-05 09:00 AM
In response to the_rock

100% phase 2 settings do indeed match on both sides - checked several times.

VPN: 'iked' is disabled. or vpn: Address 'X.X.X.X' is not handled by any IKED daemon

I will create a TAC case for this, thanks for help. 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2024-12-05 06:12 AM

Are you sure the Sophos is not set for AES-256-GCM in Phase 2?  Not the same as AES-256.  As a test try setting P2 to AES-128 and see what happens.

New Book: "Max Power 2026" Coming Soon
Check Point Firewall Performance Optimization
0 Kudos
SinisaZG
Contributor
Contributor
‎2024-12-05 06:14 AM
In response to Timothy_Hall

Yep, I am sure that settings are the same. Already tried with AES-128.

 

0 Kudos
SinisaZG
Contributor
Contributor
‎2024-12-05 09:03 AM
In response to the_rock

 

I will create a TAC case for this, thanks for help.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-12-05 09:39 AM
In response to SinisaZG

Happy to do remote if you are allowed to, let me know.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events