Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

VPN between Check Point and Palo Alto - Configure passive mode

Hi,

We have an issue with a VPN tunnel to a Palo Alto firewall. The IPSec renegotiaion is sometimes initated by both peers at the same time, causing the tunnel to be down for one hour until the next renegotition.

In order to solve this we would like to set one peer in passive mode, so the other side always initiate the renegotiaion. Is this possibe to do on the Check Point VPN gateway?

We are running R77.30 on this gateway cluster.

Thanks for your help!

Harry

0 Kudos
7 Replies
Highlighted
Sapphire

Re: VPN between Check Point and Palo Alto - Configure passive mode

R77.30 is out of support since September...

0 Kudos
Highlighted
Nickel

Re: VPN between Check Point and Palo Alto - Configure passive mode

I am aware that it is out-of-support and we plan to upgrade the gateways to R80.20 soon. I would still like to know if it is possible to configure the security gateway as passive (either in R77.30 or R80.20).
Thanks for your help!
0 Kudos
Highlighted

Re: VPN between Check Point and Palo Alto - Configure passive mode

@net-harry Check Point VPN GW will try to open a tunnel whenever some traffic is being sent to the remote VPN domain.

 

Also, it is unclear to me why simultaneous negotiations should fail if both VPN peers are trying to do IKE. One of the IKE SAs should be complete and work anyway.  I would recommend looking into some mis-config on PAN side. There must be something wrong there, this is not a normal IPsec behaviour.

0 Kudos
Highlighted
Nickel

Re: VPN between Check Point and Palo Alto - Configure passive mode

Thanks for the information! I agree that it looks like a bug on the Palo Alto side and their engineers are troubleshooting this. On Palo Alto they are able to configure passive, so I just wanted to check if this was possible on the Check Point side to. I noticed that a similar question was posted in the following thread:

https://community.checkpoint.com/t5/Access-Control-Products/Checkpoint-VPN-as-responder-only/m-p/643...

0 Kudos
Highlighted

Re: VPN between Check Point and Palo Alto - Configure passive mode

If you set PAN for passive, there is still a chance that traffic might be originated from the remote VPN site. To tackle this, set Check Point VPN GW with a permanent tunnel. This way, it will keep tunnel up, actively requesting IKE when there is no SA or the last one expired.

0 Kudos
Highlighted
Nickel

Re: VPN between Check Point and Palo Alto - Configure passive mode

Thanks for the suggestions!

0 Kudos
Highlighted

Re: VPN between Check Point and Palo Alto - Configure passive mode

@G_W_Albrecht, one can extend R77.30 support with additional premium on top of the support contract, if required. Also, there are other special cases where R77.30 support might be pro-longed. 

0 Kudos