This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
--JayJay--
Participant
‎2018-09-16 01:51 AM

IPsec VPN - Gateway not responding

Created a site to site VPN between CP 3200 appliance and a CP 4800 cluster, according to this guide:

site to site VPN guide R80.10

Gateways on both ends of the VPN tunnel are separately managed.

CP 3200 is running Gaia R80.10.

On the 3200, the IPsec VPN status for the tunnel is green / Okay, but the tunnel establishment negotiation only shows failures.

The smart monitor shows similar results, VPN OK, Tunnel Active but no encrypted nor decrypted traffic on it.

And "gateway not responding" message in the community view.

What can be the issue here ?

[Expert@xxxxxxxxx:0]# tcpdump -i eth1 -n host GatewayB
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
11:26:16.178879 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 ? ident[E]
11:27:04.084385 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident
11:27:04.120881 IP GatewayB.isakmp > GatewayA.isakmp: isakmp: phase 1 R ident
11:27:04.124996 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident
11:27:04.159882 IP GatewayB.isakmp > GatewayA.isakmp: isakmp: phase 1 R ident
11:27:04.166849 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident[E]
11:27:04.205134 IP GatewayB.isakmp > GatewayA.isakmp: isakmp: phase 2/others R inf
11:27:06.167621 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident[E]
11:27:08.168573 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident[E]
11:27:10.169526 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident[E]
11:27:12.170603 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident[E]
11:27:14.171568 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident[E]
11:27:16.172649 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident[E]

0 Kudos
2 Replies
Vladimir
Champion
Champion
‎2018-09-16 04:48 AM

Delete all IPsec and IKE SAs using "vpn tu" option "0" on both gateways and generate some traffic.

Check the logs to see how the tunnel being established on both sides and see if you can spot the discrepancies.

If the tunnel comes up clean, but there are no encrypted packets from one or both sides, check the topology settings on the gateways to see if the remote networks got defined behind their local interfaces.

I think that if you are using certificates for the vpn, both gateways should reach CAs on the other side. 

0 Kudos
Danny
Champion
Champion
‎2018-09-16 05:47 PM

Set up the tunnel as described in my guide, that should work:

0 Kudos