- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Created a site to site VPN between CP 3200 appliance and a CP 4800 cluster, according to this guide:
Gateways on both ends of the VPN tunnel are separately managed.
CP 3200 is running Gaia R80.10.
On the 3200, the IPsec VPN status for the tunnel is green / Okay, but the tunnel establishment negotiation only shows failures.
The smart monitor shows similar results, VPN OK, Tunnel Active but no encrypted nor decrypted traffic on it.
And "gateway not responding" message in the community view.
What can be the issue here ?
[Expert@xxxxxxxxx:0]# tcpdump -i eth1 -n host GatewayB
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
11:26:16.178879 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 ? ident[E]
11:27:04.084385 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident
11:27:04.120881 IP GatewayB.isakmp > GatewayA.isakmp: isakmp: phase 1 R ident
11:27:04.124996 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident
11:27:04.159882 IP GatewayB.isakmp > GatewayA.isakmp: isakmp: phase 1 R ident
11:27:04.166849 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident[E]
11:27:04.205134 IP GatewayB.isakmp > GatewayA.isakmp: isakmp: phase 2/others R inf
11:27:06.167621 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident[E]
11:27:08.168573 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident[E]
11:27:10.169526 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident[E]
11:27:12.170603 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident[E]
11:27:14.171568 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident[E]
11:27:16.172649 IP GatewayA.isakmp > GatewayB.isakmp: isakmp: phase 1 I ident[E]
Delete all IPsec and IKE SAs using "vpn tu" option "0" on both gateways and generate some traffic.
Check the logs to see how the tunnel being established on both sides and see if you can spot the discrepancies.
If the tunnel comes up clean, but there are no encrypted packets from one or both sides, check the topology settings on the gateways to see if the remote networks got defined behind their local interfaces.
I think that if you are using certificates for the vpn, both gateways should reach CAs on the other side.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY