cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
jfabian
Ivory

Problem with VPN AMAZON(AWS) ​​CHECK POINT

I have several VPNs against AWS, it happens that at random there is no more traffic.  

 

When the fault occurs, there are the following symptoms:

 

-Up Tunnel

-Phase 1 and Phase 2 established  

 

The problem is resolved when we restart Ike at the checkpoint (vpn tu - 7), but after a while it happens again. The configuration of my Tunnel is as follows:

 

IKv1 Phase I.

 

-Encryption Algorithm: AES-128

-Data Integrity: SHA1

Diffie-Hellman group: Group 2 (1024bit)

 

Phase II -AES-128

Data Integrity: SHA1

IKE Security Association (Phase2): Use perfect Forward Secrecy (group 2)

 

Ike Phase I.

Renegotiate IKE Security associations every (minutes): 480

 

IPsec (Phase 2):

Renegotiate IPsec security associations every (seconds): 3600 Nat: Disable NAT inside the VPN community

 

DPD configured in the Cluster and AWS Community VPI and Ping interfaces on static routes

 

Tunnel Management

-Permanent tunnels: establish permanent tunnels: in all the tunnels of the community.

 

-VPN Tunnel Sharing: One VPN tunnel per Gateway pair. VPN ROUTING: to center or, even the center, other satellites, the Internet and other VPN objectives

 

DPD configured in the Cluster and AWS Community VPI and Ping interfaces on static routes

 

when I see the records, it's dropping by rule clean up

 

please your support, the tac still does not find the cause

0 Kudos
3 Replies
Admin
Admin

Re: Problem with VPN AMAZON(AWS) ​​CHECK POINT

What version of gateway are we talking about here?
Have you forced DPD on the gateway via the registry in addition to making the necessary change in the gateway object with GUIdbedit?
When it works, what do you see in the logs?
0 Kudos

Re: Problem with VPN AMAZON(AWS) ​​CHECK POINT

Hello,

The problem is presented in several clusters, in version R80.10.

I have enabled DPD in response mode and monitoring mode:

 

To enable DPD Responder Mode:

Run on each gateway:
ckp_regedit -a SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload -n 1

Enable the keep_IKE_SAs property in SmartDashboard to prevent a problem, where the Check Point gateway deletes IKE SAs:
In SmartDashboard, go to Global Properties > SmartDashboard Customization > Advanced Configuration > VPN advanced properties > VPN IKE properties.
Change keep_IKE_SAs to true.

To enable DPD monitoring:

On each VPN gateway in the VPN community, configure the tunnel_keepalive_method property, in GuiDBedit Tool (see sk13009) or dbedit (see skI3301). This includes 3rd Party gateways. (You cannot configure different monitor mechanisms for the same gateway).

In GuiDBedit Tool, go to Network Objects > network_objects > <gateway> > VPN.
For the Value, select a permanent tunnel mode.
Save all the changes.
Install policy on the gateways.

0 Kudos

Re: Problem with VPN AMAZON(AWS) ​​CHECK POINT

Hello!

Yes, enable DPD via GuiDB and gateways.

Both forms are active:

-DPD Mode response
-DPD Mode monitoring
0 Kudos