Management General Management Topics Logging and Reporting Multi-Domain Management Policy Management
- Local User Groups
Does someone have experience with lan2lan vpn between checkpoint and ingate firewalls? We have a problem that every 1 hour the vpn tunnel goes down with the error in the checkpoint log like: Reject IKE failure no response from peer.
We have checked in both ends that the subnets we send through the tunnel are correct and they match, same as for all the IKE and IPSEC settings like SA lifetime they also match on both ends, that is SA in Phase 1 and 2 is 1 hour.
Permanent tunnel is also enabled on the checkpoint side with no improvement.
How do you authenticate? With Certificates or pre-shared secret? Regular Phase 1 failure usually means CLR is unreachable when VPN is up. Renegotiation fails, tunnel goes down, CLR is reachable again, tunnel goes back up for an hour.
We have pre shared secret and they also match on both ends. Tunnel goes up and after 1 hour it goes down again with errors then it goes up and so forrth.
Now, that should not happen. If checkpoint says "no response from peer", you need to look on Ingate side. However, I still think it makes sense to run vpn debug on CP side to see which part of Phase 1 is failing.
Is it safe to turn on debug in a production env? our customer says that the vpn dies once every hour, it sounds like ike/ipsec key negotiations fails for some reason.
vpn debug is safe. Essentially, vpnd (the process doing IPSec negotiations) is jsut printing out some additional details into two log files. Nothing in kernel, should not be a problem.
However, if you are not comfortable with it, open a support case so out TAC engineer could assist you