Re: Site-to-site vpn Tunnel to a non Checkpoint Ga...

Uwe_Konrad · ‎2018-12-20

We have a site-to-site VPN tunnel between our Checkpoint R80.1 Cluster Gateway and an external Site with a Cisco gateway. Since a few hours the tunnel is still there but seems to run in one direction only or somehow not healthy. I see the packes leaving but no real communications is done.

We also have other pure Checkpoint site-to-site tunnels and I can control those using the "user and tunnel management" oder the "vpn tu" util. But those options are not there for a tunnel to a non-checkpoint gateway. How can I reset the tunnel without doing a cpstop of the cluster?

Any advice?

Thanks. Uwe

Jenni_Guerrica · ‎2018-12-20

vpn tu from expert and select your option:

[Expert@FW02:0]# vpn tu

********** Select Option **********

(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

(Q) Quit

*******************************************

Uwe_Konrad · ‎2018-12-20

Thanks, the syntax with those 3 characters had to be considered, that was my fault!

Kim_Moberg · ‎2018-12-20

Hi Uwe

I have in my settings to multiple site2site tunnels put ike rekey to 3600 sec (60 minuts) and ipsec rekey to 3600 sec.

I would check ike Phase 1 and ipsec phase 2 are the same.

Also found out to disable dead peer detection (dpd) keepalive on Cisco router/firewall

I often use from expert mode ssh to gwcluster active node or cluster ip addr

vpn tu

To reset vpn tunnel I use option 7

Check if IKE phase 1 have been establish option 3

Check if Ipsec phase 2 have been establish option 4

To check tunnel list

vpn tu tlist -p <remote peer address>

I hope that could help your search for help

Best regards

Kim

Best Regards
Kim

Uwe_Konrad · ‎2018-12-20

Thanks, great help! There are different tunnels for the different subnetwork pairs shown. Some show i1 .. i5 and other only i1 .. i2? But this changes frequently. Tunnels seem to be OK now. Merry Xmas.

Kim_Moberg · ‎2018-12-20

Heiko Ankenbrand did provide a great hint to to use vpn tu via commandline.

https://community.checkpoint.com/docs/DOC-3021-show-vpn-routing-on-cli

Commands are:

vpn tu del ipsec all

vpn tu del ipsec ip-addr

vpn tu del ipsec ip-addr username

vpn tu del all

vpn tu del ip-addr

vpn tu del ip-addr username

I use this Command quite often on daily basis

vpn shell show tunnels ipsec all | grep “<ip address or any info I would like to search for >”

Best Regards
Kim

Uwe_Konrad · ‎2018-12-20

I checked the settings: IKE Phase 1 is set to 1.440 min and IPsec to 28.800 seconds, so are not equal and quite large. Could that cause problems?

Kim_Moberg · ‎2018-12-21

Remember timing is your friend.

Make you date and time is correct in both ends.

Secondly check ike rekey is the same as remote peer

Third check ipsec rekey also is the same as remote peer

If for example the check point firewall rekey is every 86400 sec and remote wants to rekey every 28800 the rekey is not in time and sync. Yes I belive this is the reason why it might stop working and you need to reset vpn tunnel.

Merry Christmas

Kim

Best Regards
Kim

Uwe_Konrad · ‎2018-12-21

Thanks a lot, what a great help!

I will change this to have it in sync! But do I have to change those settings at both sites? The remote (Cisco) device is operated by a partner institution and I personally have no access to it at the moment.

Timothy_Hall · ‎2018-12-21

The SA lifetimes (timers) are required on both sides and must be set. Data Lifesizes are off by default on Check Point (but can be enabled via file editing) so it is generally easier to turn them off on the Cisco. Check Point does not support a VPN idle timer for site-to-site VPNs.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Timothy_Hall · ‎2018-12-21

How large they are does not matter, what does matter is that they match between the Check Point settings and the Cisco settings or you will get intermittent tunnel failures. Note that the Phase 1 timer is expressed by Check Point in minutes, while the Phase 2 timer is expressed in seconds. Most other vendors express both values in seconds so watch out for that.

Other things that can cause intermittent interoperable tunnel failures are data lifesizes and VPN idle timers, make sure these are disabled or set to unreachably high values on the Cisco. Basically anything that causes the tunnel to be brought down early prior to expiration of the SA lifetimes will cause a tunnel hang because the "Delete SA" mechanism does not work reliably in an interoperable VPN scenario.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Uwe_Konrad · ‎2018-12-23

Yes, I have put the settings of both sides to equal values. Eveything runs smooth and fine now. Thanks to all of you , I will come back for help if needed! Merry Christmas.May be some tome I will have hints for other newbees... Uwe

Are you a member of CheckMates?

Site-to-site vpn Tunnel to a non Checkpoint Gateway