Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Iron

site to site vpn tunnel

Hello Team,

I have a query. today my one of the working site to site vpn tunnel went down. while troubleshooting i found that phase 1 was down  and it was getting failed on main mode packet 5. So i have reset the pre-shared key. And the tunnel came up. So my query is without making any changes what could be the possible reason of this changes. 

there were no changes made on the gateway

OS version. R80.20

jumbo hotfix take_118

 

0 Kudos
3 Replies
Highlighted
Admin
Admin

I assume after you reset the pre-shared secret you pushed policy.
That means either the pre-shares secret was wrong OR there is some other issue that was solved by doing a policy push.
0 Kudos
Highlighted
Iron

Yes it did resolve the issue. but i want to know what could be the possibility of encryption getting failed in main mode packet 5(without making any changes). how to find the RCA, I am not able to find to any checkpoint SK.
tunnel is between checkpoint to checkpoint
0 Kudos
Highlighted

IKE Phase 1 packet 5 is where the peers switch over to NAT-T if intervening NAT has been detected between them, did that happen?

If the shared secret was really wrong you should have seen a "payload malformed" message on one side or the other, if you didn't see that then the PSK was not the problem.

By default pushing policy clears all IKE Phase 1 SAs and forces them to renegotiate which is probably what fixed the tunnel.

Check that your IKE Phase 1 and IPSec Phase 2 lifetimes match.

Since you say your peer is another Check Point, if this keeps happening I'd recommend enabling Permanent Tunnels on both ends so that the VPN will recover itself within 60 seconds or so should this situation happen again.

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
0 Kudos