This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ake_Veeraolansi
Explorer
‎2016-10-03 05:42 AM

Problem IP Sec VPN Checkpoint > Juniper no response from peer. IKE failuret

Hi ,

   I have a question about IP Sec VPN Connection  Checkpoint > Juniper

Some times I found error message from checkpoint "no response from peer. IKE failure "

As i check on juniper srx did't set Proxy ID configuration So , If Someone here have  experience with

IP Sec VPN checkpoint and Juniper srx  please suggest solution or basic investigate problem

Thanks you

BR,

Ake V

0 Kudos
3 Replies
Timothy_Hall
Legend Legend
Legend
‎2016-10-05 08:47 AM

If the subnets/Proxy-IDs proposal made by the Check Point in IKE Phase 2 does not match the Juniper subnet definitions EXACTLY (matching subsets are not allowed on Juniper/Fortinet/Sonicwall whereas they are allowed on Cisco/Check Point), the Juniper will discard the request and not answer.  Either the Juniper administrator needs to modify their policy to match the subnets/masks your Check Point is proposing, or you need to explicitly define the subnets you want to propose to the Juniper in a user.def file on the Security Management Server.  See sk62590 for the proper user.def.* file to edit as there are numerous variants depending on the version of the security gateway, and see sk108600 for the proper syntax definition of the Proxy-IDs in the user.def.* file.

--

My book "Max Power: Check Point Firewall Performance Optimization"

now available via http://maxpowerfirewalls.com.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
Ake_Veeraolansi
Explorer
‎2016-10-06 01:42 AM
In response to Timothy_Hall

Hi Tim Hall

Thanks for your answer , from juniper side he have a question about why he need to configuration Proxy IDs

Because Connection can operation normally (Problem  "no response from peer. IKE failure happen some time ")


 I mean if not configuration proxy ID tunnel can operation but problem found randomly time.

BR,

Ake V

0 Kudos
L_Rossi_89
Contributor
‎2016-10-06 08:34 AM
In response to Timothy_Hall

To have a basic information to start to investigate , you could do :

  • ike debug on check point firewall

vpn debug ikeon

vpn debug ikeoff

    $FWDIR/log/ike.elg

    $FWDIR/log/ikev2.xmll

Tool -> IKEview

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top