Multiple SAs

Brianpiraty_Ale · ‎2018-06-28

always see multiple SAs on IPsec tunnel ( VPN tu output) , is that normal. ( site 2 site VPN )

I configured one vpn tunnel per pair of hosts

Timothy_Hall · ‎2018-06-28

Yes that is normal, especially when you configure "pair of hosts" as there will be a new Phase 2/IPSec tunnel created for every possible combination of hosts communicating through the VPN. Here is the overall process and how the various VPN Tunnel Sharing settings fit into it:

The size of the object (i.e. host or network w/ mask) used in the Firewall/Network policy layer permitting the VPN traffic does not matter as far as what is proposed by the Check Point in Phase 2, it just needs an Accept action for anything to happen at all.

One accepted, the Check Point looks at the destination IP address and which VPN peer's VPN domain it falls into.

Once the VPN peer is selected, next it determines what VPN Community that peer is a member of so it knows what VPN settings to use for the proposal.

Once IKE Phase 1 is complete, to determine what to propose in Phase 2 as far as subnets, the firewall first looks at the "VPN Tunnel Sharing" settings on the VPN peer object. By default this set to "use the community settings" which means it will follow the "VPN Tunnel Sharing" settings on the VPN Community object itself. The VPN Tunnel Sharing setting defined on the VPN peer object will take precedence if it is not set to "use the community settings".

Regardless of where VPN Tunnel Sharing is set, here is what the settings mean:

One VPN tunnel per pair of hosts - Propose /32's for both source and destination IP address, note that this can potentially cause a very large number of Phase 2/IPSec tunnels to start and should only be used for testing purposes, or if only a few hosts on each end need to communicate and the security policy is locked down tight to reflect this (i.e. multiple networks on each end are NOT simply allowed to talk to each other).
One VPN tunnel per subnet pair - (default setting) By default propose the "largest possible subnet" for both source and destination IP addresses. So if the VPN domain for the Check Point is 192.168.0.0/16 and the VPN domain for the peer is 10.1.1.0/24, that is exactly what the Check Point will propose. Note that if you have adjacent subnets defined in your firewall's VPN domain on the proper subnet boundary, such as 192.168.2.0/24 and 192.168.3.0/24, the Check Point by default will "roll them up" and propose 192.168.2.0/23 for the source! The VPN peer is probably not expecting this, and Phase 2 will fail as a result.
One VPN tunnel per gateway pair - Propose a universal tunnel which is 0.0.0.0/0 for source and 0.0.0.0/0 for destination. This should generally only be used for a route-based VPN setup involving VTIs.

The proposal of subnets can be controlled much more precisely through use of the subnet_for_range_and_peer directive, see scenario 1 of sk108600: VPN Site-to-Site with 3rd party for how to set this up. This directive will almost certainly need to be employed when setting up interoperable VPNs with Juniper, Fortinet, & Sonicwall as these vendors are quite picky about what subnets/Proxy-IDs they will accept in a Phase 2 proposal.

Also note that the ability to define a separate VPN domain per individual VPN Community is on the roadmap and will hopefully become available at some point. Edit: The ability to override VPN domains per-VPN Community was added in R80.40.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Brianpiraty_Ale · ‎2018-06-29

when I use one tunnel per pair of hosts, the tunnel works initially, after a point of time, the connectivity from specific source is rejected by the remote peer as it sees as wrong SPI.the same time the remote peer accepts the packets from other source server( which is in the same subnet) as it is coming from new tunnel. why it is so?

Timothy_Hall · ‎2018-06-29

What you are describing is probably an SA lifetime mismatch between your firewall and the VPN peer, or your VPN peer is unexpectedly expiring the tunnel early due to a data lifesize or VPN idle timer. Make sure the SA lifetime timer is set the same on both sides for IKE Phase 1 but especially IPSec/IKE Phase 2. Note that Check Point expresses the Phase 1 timer in minutes and Phase 2 timer in seconds, whereas most other vendors express both values in seconds. Also make sure the peer has disabled any VPN idle timers, and has also disabled the data lifesize or set it to an unreachably high value.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Brianpiraty_Ale · ‎2018-07-02

what is that VPN idle timers and data life size?

peer log says SA xxxxxx not found

Timothy_Hall · ‎2018-07-03

SA Lifetimes are set here on Check Point:

Data lifesizes are not set in the SmartDashboard/SmartConsole, see Scenario 6 of this SK:

sk108600: VPN Site-to-Site with 3rd party

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Brianpiraty_Ale · ‎2018-07-03

I set the tunnel as one tunnel per subnet, still I see the multiple SAs on both phase 1 and phase2.

P eer .x.x.x , xxxxx SAs:

IKE SA <xxxx,yyyyyyy>

IKE SA <********,************>

Peer 172.22.128.103 , DB-TEST-REB23-VPN SAs:

        IKE SA <********,************>
                INBOUND:
                OUTBOUND:

        IKE SA <********,************>
                INBOUND:
                        1.********,************(i: 0)
                OUTBOUND:
                        1. ********,************   (i: 0)

        IKE SA <********,************>
                INBOUND:
                OUTBOUND:

The tunnel works only for few hours. then it is down. what could be the reason

Timothy_Hall · ‎2018-07-03

It is normal to have multiple SAs. Please read my prior postings in this thread telling you what to check.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Paul_Wedde · ‎2020-11-15

It is NOT normal to have multiple IKE "Phase 1" SA's. You should only have one Phase 1 SA per VPN End Point. It IS normal to have multiple IPSEC "Phase 2" SA's - usually one per Subnet pair (or according to the 3 options mentioned above as per Hosts/Subnets/Gateway).

If you have more than 1 Phase 1 SA then something is usually wrong.

Paul_Wedde · ‎2020-11-15

It is NOT normal to have more than 1 IKE "Phase 1" SA Per VPN Gateway Endpoint. It is normal to have more than 1 IPSEC "Phase 2" SA. You should only ever have one IKE "Phase 1" SA per VPN Gateway pair and usually multiple "Phase 2" SAs according to the 3 options mentioned above (per host/subnet/gateway), if you have more than one host or subnet configured to communicate over the VPN. I assume there might be just the one Phase 2 SA if you select "gateway" though I have never tested that setting.

If you have more than 1 IKE "Phase 1" SA then you probably have some sort of problem; Phase 1 Settings mismatch would be the top candidate.

Are you a member of CheckMates?

Multiple SAs