cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Alex_Gilis
Copper

VPN with DAIP, certificates and permanent tunnels

I followed the superb walkthrough written by Danny Jung‌ in order to establish a VPN between a Checkpoint 700 series (locally managed) and a central cluster of 5600 series gateways running R80.10.

While the setup worked, I encountered a rather strange issue, I could not troubleshoot a lot due to time and location constraints, and the customer was satisfied with the solution anyway.

In short, when I reboot the 700, traffic initiated from its LAN to the central location works immediately (a ping test from a local PC to a central server for instance), while traffic initiated from the central location to the remote LAN takes like 30 seconds to get established then goes on. This could be reproduced by rebooting the small appliance. The log didn't report any particular errors. Given it worked after that time and the VPN is used for a low-importance application, the customer didn't want to put any more efforts in analyzing this. Any idea why it would happen? Since pings replies immediately if initiated from the satellite location, I would think the VPN is directly bidirectional.

2 Replies
Admin
Admin

Re: VPN with DAIP, certificates and permanent tunnels

I suspect the center gateway is trying to use the existing negotiated tunnel, which would likely fail after the 700 was rebooted.

It's probably taking the 30 seconds or so to figure that out and renegotiate the tunnel.

0 Kudos

Re: VPN with DAIP, certificates and permanent tunnels

When you reboot, does the 700 get a new IP every time?

If so this would explain why you see this issue, it takes time for the 5600's to establish a tunnel as it does not know the IP at first, the DAIP gateway reports to the management server what it's new IP is. Also the gateway finds out by the new tunnel being built by the remote site, but it will verify the certificate when it receives that information. This whole process will take some time.

Regards, Maarten