Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ake_Veeraolansi
Explorer

Problem IP Sec VPN Checkpoint > Juniper no response from peer. IKE failuret

Hi ,

   I have a question about IP Sec VPN Connection  Checkpoint > Juniper

Some times I found error message from checkpoint "no response from peer. IKE failure "

As i check on juniper srx did't set Proxy ID configuration So , If Someone here have  experience with

IP Sec VPN checkpoint and Juniper srx  please suggest solution or basic investigate problem

Thanks you

BR,

Ake V

0 Kudos
3 Replies
Timothy_Hall
Champion
Champion

If the subnets/Proxy-IDs proposal made by the Check Point in IKE Phase 2 does not match the Juniper subnet definitions EXACTLY (matching subsets are not allowed on Juniper/Fortinet/Sonicwall whereas they are allowed on Cisco/Check Point), the Juniper will discard the request and not answer.  Either the Juniper administrator needs to modify their policy to match the subnets/masks your Check Point is proposing, or you need to explicitly define the subnets you want to propose to the Juniper in a user.def file on the Security Management Server.  See sk62590 for the proper user.def.* file to edit as there are numerous variants depending on the version of the security gateway, and see sk108600 for the proper syntax definition of the Proxy-IDs in the user.def.* file.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Ake_Veeraolansi
Explorer

Hi Tim Hall

Thanks for your answer , from juniper side he have a question about why he need to configuration Proxy IDs

Because Connection can operation normally (Problem  "no response from peer. IKE failure happen some time ")


I mean if not configuration proxy ID tunnel can operation but problem found randomly time.

BR,

Ake V

0 Kudos
L_Rossi_89
Contributor

To have a basic information to start to investigate , you could do :

  • ike debug on check point firewall

vpn debug ikeon

vpn debug ikeoff

    $FWDIR/log/ike.elg

    $FWDIR/log/ikev2.xmll

Tool -> IKEview

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events