Hello,

Thank you for your comment.

The output of the command shows me the following.

Trying to interpret the information correctly, I can assume that if there is no more interesting traffic through the tunnel, the VPN will be down today?

In other words, the tunnel will only "hold" for 1 hour, if it does not see any traffic passing through it?

Is there any way to "extend" this time?

Looking at this closer with some of my VPNs, the tunnel status is based off two items:

• State = "UP" - Means Phase 1 and Phase 2 are proper. Everything should be working.
• State = "UP - Phase1" - Means you only have Phase 1 and Phase 2 is not working because of configuration or the IPSec SA has expired, if it has expired, you can bring it to "UP" by generating the interesting traffic to make a new IPSec SA.

The CLI I provided is only giving insight for Phase 2, so once that tunnel has "expired" the tunnel will show "UP - Phase1" until that ages out. I cannot find how to view the expiration for Phase 1 (by default Phase1 is 24hours).

How to extend the time. If you want to keep the tunnel online you can configure permanent tunnels between 2 Check Point firewalls, or with a third-party you can use DPD. You can always add a monitor system to the VPN and just send constant pings across too.

If you mean how to adjust the hour window, you can change those settings within the advanced options of the VPN community you are working with. By default Phase 1 is setup for 1440 minutes (24hours) and Phase 2 is setup for 3600 seconds (1hour), if you change these timers, they need to match on both sides of the VPN tunnel.

Thank you for your response.

So, to keep the VPN "up" (My environment is a VPN against a third party, not Checkpoint), it is advisable for us to enable DPD (As I remember, DPD is disabled by default, right?).

Does DPD affect a particular community, or is it something that affects all the VPNs I have in my GW?

Bro, there is old school way to keep any VPN tunnel up. Just keep constant ping going to something on the other end and that will have tunnel UP all the time...same goes for say vpn client inactivity set. I know its not the best way, but it works. Otherwise, just set DPD method, or permanent tunnel.

Andy

Hello, my friend.

Just so that the concept can be clear to me, Phase 2 of the default VPNs, it is clear that it comes set to 3600 seconds.

This means that if in 1 hour there is no traffic between a Site1 HOST and a Site2 HOST, "visually" the VPN in phase 2 will appear as "down", right?

And I would understand that the VPN in general, if in 1 day, there is no traffic at all, visually, it will also be "down", until traffic is generated again, is my interpretation correct?

Greetings.

Shortly, no. Phase 2 timer only defines how long the symmetric key is valid. Once it is timed out, it will be renegotiated. 

I understand.

What we are looking for, is to have an "idea" of how long is the maximum time that the tunnel can be without traffic crossing through it, so that the VPN visually looks "down".

Is this something that is defined in the configuration of a VPN community?

One of our customers had the same question few years back and we thought it was possible to define it in Guidbedit, but TAC was not successful either, so we never really got an official answer if there was any sort of time that needs to pass by before tunnel is officially considered as down.

You can open a case and ask about it I guess, but I hardly doubt its different.

Andy

Bro,

So, activating DPD for a single community will guarantee me that the tunnel will stay up all the time?

Cheers 🙂

Bro, no offense, I dont even guarantee I will be alive tomorrow LOL

Anyway, yes, DPD means peer is configured for permanent tunnel. Make sure community is set that way too and config is indeed set for such a tunnel.

Andy

Does activating DPD "alter" all the VPNs I have in my GW?

Or can DPD be activated for each community independently?

It can be done independently, but it goes by interoperable object. In R81+, if you set community as permanent tunnel type, it sets object as DPD automatically.