This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ihenock1011
Advisor
‎2024-08-07 07:18 AM

Security Gateway IKEv2 issue

Hi All,

We have a Checkpoint R81.10 security gateway acting as a site-to-site VPN gateway. We are experiencing issues with IKEv2: although the tunnel is up, the encryption domains are unable to communicate. However, when we change the IKE version from IKEv2 to IKEv1 under the encryption parameters, the end hosts start to communicate via ping or telnet. What could be the issue?

Thanks

0 Kudos
7 Replies
Lesley
Leader Leader
Leader
‎2024-08-07 07:37 AM

In general IKEv2 is more ''strict'' , could be many reasons why it does not work.

First step would for be to check what the current jumbo take is of fw (cpinfo -y all)

If recent Jumbo is installed check firewall logs for errors related to this vpn.

Final step vpn debug

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Ihenock1011
Advisor
‎2024-08-07 11:19 AM
In response to Lesley

Dear @Lesley JHF 139, as I said no error the tunnel shows UP the problem is endpoints cannot able to communicate.

0 Kudos
Lesley
Leader Leader
Leader
‎2024-08-07 11:59 AM
In response to Ihenock1011

Logs should give a tip, search for:

source: local ip, dst: remote IP (so from encryption domain IP to other side)

source: remote ip, dst: local IP (from local internal IP to remote encryption domain IP)

source: remote peer ip (of the other firewall)

destination: remote peer ip (of the other firewall)

Is there NAT or NAT-T in between? What vendor is on other side?

Give this one also a try:

https://support.checkpoint.com/results/sk/sk157473

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
JozkoMrkvicka
Mentor
Mentor
‎2024-08-07 02:04 PM

If you switch back to IKEv2, do you see "narrow" or "eclipsed" words in output from command "vpn tu tlist" for problematic VPN peer ?

If so, it might indicate that content of traffic selectors (encryption domains) is not 100% the same between CP and other VPN peer.

IKEv2 should better work if NAT-T is enabled.

It is also important to select correct setting on CP side related to "One VPN pair for gateway/subet/host"

Kind regards,
Jozko Mrkvicka
0 Kudos
Ihenock1011
Advisor
‎2024-08-07 11:56 PM
In response to JozkoMrkvicka

The issue happens not only with one tunnel; it happens all the time with different site to site tunnels. I prefer using CheckMates over creating a TAC case with Check Point. I haven't seen a vendor take three days to respond to a direct premium customer.

(1)
Lesley
Leader Leader
Leader
‎2024-08-08 12:01 AM
In response to Ihenock1011

Sounds more like a you problem then a Check Point problem. You get many tips here and we get very limited reply back. If you behave the same way in TAC tickets then I understand why it takes long to reply. Maybe you should invest a bit more time to follow the feedback you get. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Ihenock1011
Advisor
‎2024-08-08 12:10 AM
In response to Lesley

I got a lot of tips here; that's why I prefer CheckMates over TAC support engineers. Since it is a production environment, I have to wait for the issue to happen again to check the commands. That is why I didn't reply to you earlier about the commands you sent. Thanks for your usual and unwavering support.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events