This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wyman
Contributor
‎2019-08-07 09:03 AM

Setting Up Site-to-Site VPN to 3rd Party Gateway

Hi all.

I'm trying to setup a VPN tunnel to a 3rd party and am running into some issues. These are the instructions I have received from the third party regarding the setup:

Encrypt Mode:

IKEv2 only

IKE (Phase 1) Proposal

  • Main Mode
  • Encryption Type/Algorithm: AES-256
  • Data Integrity: SHA256
  • Key
  • DH-Group: 2
  • Lifetime: 3600 seconds

IKE (Phase 2) Proposal

  • Protocol: ESP
  • Encryption Type: AES-256
  • Data Integrity: SHA256
  • Lifetime: 3600 seconds
  • Disabled PerfectForward Secrecy (PFS)

With the exception of setting the protocol to ESP (not been able to find how to do this) I have done everything else according to these instructions:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

When looking in SmartView Tracker I see an 'traffic selectors unacceptable' log entry. Not quite sure how to proceed with this.

We're running R77.30 take 204

Thanks in advance for any assistance.

0 Kudos
7 Replies
Wolfgang
MVP Gold
MVP Gold
‎2019-08-07 12:56 PM

Tbgaz,

As far as I can remember there are some known problems with IKEv2 and third party gateways. I think there was a problem with SecureXL. Did you tried to disable the acceleration ?

Please have a look at the IKEv2 VPN limitations in VPN limitations in R77.30 

Espacially sk102437, sk114834 and sk112139.

Wolfgang

0 Kudos
Wyman
Contributor
‎2019-08-08 07:06 AM
In response to Wolfgang

Hi Wolfgang,

Thanks for the reply. I've made some progress, the tunnel is now showing as up. I checked SecureXL but it isn't configured on the gateway. From the 3rd party endpoint to our gateway a 'child SA is successfully created' log entry is created, but going in the opposite direction I see a log message 'Child SA exchange: Peer's message is unacceptable'.

Is it a case that we have to use IKEv1 or is that less than ideal?

 

0 Kudos
(1)
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-08-08 07:12 AM
In response to Wyman

Did  you consult sk108600: VPN Site-to-Site with 3rd party already ? This is a valuable document for that kind of issues...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
(1)
Wyman
Contributor
‎2019-08-13 04:07 AM
In response to G_W_Albrecht

Hi. The issue has been resolved. The 3rd party gateway needed to be tweaked to allow connectivity.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-08-13 05:03 AM
In response to Wyman

Best is pinching with a sharp needle from behind 😁

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
An_Nguyen
Participant
‎2020-02-11 11:09 AM
In response to Wyman

Is it possible that you share what was being "tweaked"?

Thanks

0 Kudos
cdooer
Contributor
‎2021-10-08 10:41 AM
In response to Wyman

Would it be possible to share what the tweak was?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events