Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wyman
Contributor

Setting Up Site-to-Site VPN to 3rd Party Gateway

Hi all.

I'm trying to setup a VPN tunnel to a 3rd party and am running into some issues. These are the instructions I have received from the third party regarding the setup:

Encrypt Mode:

IKEv2 only

IKE (Phase 1) Proposal

  • Main Mode
  • Encryption Type/Algorithm: AES-256
  • Data Integrity: SHA256
  • Key
  • DH-Group: 2
  • Lifetime: 3600 seconds

IKE (Phase 2) Proposal

  • Protocol: ESP
  • Encryption Type: AES-256
  • Data Integrity: SHA256
  • Lifetime: 3600 seconds
  • Disabled PerfectForward Secrecy (PFS)

With the exception of setting the protocol to ESP (not been able to find how to do this) I have done everything else according to these instructions:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

When looking in SmartView Tracker I see an 'traffic selectors unacceptable' log entry. Not quite sure how to proceed with this.

We're running R77.30 take 204

Thanks in advance for any assistance.

0 Kudos
7 Replies
Wolfgang
Authority
Authority

Tbgaz,

As far as I can remember there are some known problems with IKEv2 and third party gateways. I think there was a problem with SecureXL. Did you tried to disable the acceleration ?

Please have a look at the IKEv2 VPN limitations in VPN limitations in R77.30 

Espacially sk102437, sk114834 and sk112139.

Wolfgang

0 Kudos
Wyman
Contributor

Hi Wolfgang,

Thanks for the reply. I've made some progress, the tunnel is now showing as up. I checked SecureXL but it isn't configured on the gateway. From the 3rd party endpoint to our gateway a 'child SA is successfully created' log entry is created, but going in the opposite direction I see a log message 'Child SA exchange: Peer's message is unacceptable'.

Is it a case that we have to use IKEv1 or is that less than ideal?

 

0 Kudos
(1)
G_W_Albrecht
Legend Legend
Legend

Did  you consult sk108600: VPN Site-to-Site with 3rd party already ? This is a valuable document for that kind of issues...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
(1)
Wyman
Contributor

Hi. The issue has been resolved. The 3rd party gateway needed to be tweaked to allow connectivity.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Best is pinching with a sharp needle from behind 😁

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
An_Nguyen
Participant

Is it possible that you share what was being "tweaked"?

Thanks

0 Kudos
cdooer
Participant

Would it be possible to share what the tweak was?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events