cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Lan2Lan vpn Checkpoint R80.10 <-> Ingate FW

Hello

Does someone have experience with lan2lan vpn between checkpoint and ingate firewalls? We have a problem that every 1 hour the vpn tunnel goes down with the error in the checkpoint log like: Reject IKE failure no response from peer.

We have checked in both ends that the subnets we send through the tunnel are correct and they match, same as for all the IKE and IPSEC settings like SA lifetime they also match on both ends, that is SA in Phase 1 and 2 is 1 hour.

Permanent tunnel is also enabled on the checkpoint side with no improvement.

5 Replies

Re: Lan2Lan vpn Checkpoint R80.10 <-> Ingate FW

How do you authenticate? With Certificates or pre-shared secret? Regular Phase 1 failure usually means CLR is unreachable when VPN is up. Renegotiation fails, tunnel goes down, CLR is reachable again, tunnel goes back up for an hour. 

0 Kudos

Re: Lan2Lan vpn Checkpoint R80.10 <-> Ingate FW

We have pre shared secret and they also match on both ends. Tunnel goes up and after 1 hour it goes down again with errors then it goes up and so forrth.

0 Kudos

Re: Lan2Lan vpn Checkpoint R80.10 <-> Ingate FW

Now, that should not happen. If checkpoint says "no response from peer", you need to look on Ingate side. However, I still think it makes sense to run vpn debug on CP side to see which part of Phase 1 is failing. 

0 Kudos

Re: Lan2Lan vpn Checkpoint R80.10 <-> Ingate FW

Is it safe to turn on debug in a production env? our customer says that the vpn dies once every hour, it sounds like ike/ipsec key negotiations fails for some reason.

0 Kudos

Re: Lan2Lan vpn Checkpoint R80.10 <-> Ingate FW

vpn debug is safe. Essentially, vpnd (the process doing IPSec negotiations) is jsut printing out some additional details into two log files. Nothing in kernel, should not be a problem. 

However, if you are not comfortable with it, open a support case so out TAC engineer could assist you

0 Kudos