Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ihenock1011
Advisor

Security Gateway IKEv2 issue

Hi All,

We have a Checkpoint R81.10 security gateway acting as a site-to-site VPN gateway. We are experiencing issues with IKEv2: although the tunnel is up, the encryption domains are unable to communicate. However, when we change the IKE version from IKEv2 to IKEv1 under the encryption parameters, the end hosts start to communicate via ping or telnet. What could be the issue?

Thanks

0 Kudos
7 Replies
Lesley
Leader Leader
Leader

In general IKEv2 is more ''strict'' , could be many reasons why it does not work.

First step would for be to check what the current jumbo take is of fw (cpinfo -y all)

If recent Jumbo is installed check firewall logs for errors related to this vpn.

Final step vpn debug

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Ihenock1011
Advisor

Dear @Lesley JHF 139, as I said no error the tunnel shows UP the problem is endpoints cannot able to communicate.

0 Kudos
Lesley
Leader Leader
Leader

Logs should give a tip, search for:

source: local ip, dst: remote IP (so from encryption domain IP to other side)

source: remote ip, dst: local IP (from local internal IP to remote encryption domain IP)

source: remote peer ip (of the other firewall)

destination: remote peer ip (of the other firewall)

Is there NAT or NAT-T in between? What vendor is on other side?

Give this one also a try:

https://support.checkpoint.com/results/sk/sk157473

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
JozkoMrkvicka
Authority
Authority

If you switch back to IKEv2, do you see "narrow" or "eclipsed" words in output from command "vpn tu tlist" for problematic VPN peer ?

If so, it might indicate that content of traffic selectors (encryption domains) is not 100% the same between CP and other VPN peer.

IKEv2 should better work if NAT-T is enabled.

It is also important to select correct setting on CP side related to "One VPN pair for gateway/subet/host"

Kind regards,
Jozko Mrkvicka
0 Kudos
Ihenock1011
Advisor

The issue happens not only with one tunnel; it happens all the time with different site to site tunnels. I prefer using CheckMates over creating a TAC case with Check Point. I haven't seen a vendor take three days to respond to a direct premium customer.

(1)
Lesley
Leader Leader
Leader

Sounds more like a you problem then a Check Point problem. You get many tips here and we get very limited reply back. If you behave the same way in TAC tickets then I understand why it takes long to reply. Maybe you should invest a bit more time to follow the feedback you get. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Ihenock1011
Advisor

I got a lot of tips here; that's why I prefer CheckMates over TAC support engineers. Since it is a production environment, I have to wait for the issue to happen again to check the commands. That is why I didn't reply to you earlier about the commands you sent. Thanks for your usual and unwavering support.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events