This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fjulianom
Advisor
‎2023-03-21 10:14 AM

VPN S2S between CPX 6000 and CPX 1500

Hi experts,

 

Today it was imposible to setup a VPN S2S between a SG 6000 and a SMB SG 1500. The SG 6000 was managed by a SMS, and the SG 1500 was a standalone deployment. I configured the meshed VPN community on SG 6000, how do I define the SG 1500 object? As a interoperable device? Check Point Host? Gateway? Or externally managed VPN Gateway? I defined it as a interoperable device, and used a shared secret, as it was a third party VPN device, is this correct? Because I didn't find an option to use their CPX certificates. The tunnel remained in Phase 1:

monitortunnel.PNG

A strange thing is with the "vpn tu" command, I saw an unknown peer (192.168.50.1), who is this peer?

vpntu.PNG

At the SMB SG 1500 I saw this log:

ikefailureensmb.PNG

And the strange thing is in the SG 6000, I see traffic I made with ping tests going through the VPN tunnel, which is fine, but the tunnel remains in phase 1:

pingvieneasanvicente.PNG

Maybe the SMB SG 1500 device is not properly configured, I never configured one of them and it has some VPN options I didn't understand (i. e. peer ID for IKEv2).

Can someone shed some light on this? Please your help.

 

Regards,

Julián

0 Kudos
8 Replies
fjulianom
Advisor
‎2023-03-22 02:22 AM

Hi everyone,

 

Still investigating. One more question. How can I know which peer initiates the tunnel? How can I force what peer initiates the tunnel?

 

Regards,

Julián

0 Kudos
RS_Daniel
Advisor
‎2023-03-22 05:39 AM
In response to fjulianom

Hello,

The vpn is started when some traffic is generated from any of the peers. So if the vpn is down, no traffic at all, yo do a ping from a host behind SG6000, so SG6000 will initiate the tunnel, and vice versa.

RS_Daniel
Advisor
‎2023-03-22 05:31 AM

Hello,

About peer 192.168.50.1, it says it is a user, so some vpn client is connected and that office mode IP address was asigned. 

You should define the object as a externally managed vpn gateway.

About the log on 1500, you can check the problem are VPN domains not maching between the peers. Make sure the configuration about encryption domains are matching both sides.

About the log on SG1600. I know it should happen but it is very common that you see encrypt logs when the vpn is not fully operational yet. You should filter logs by action:"Key Install" and X.X.X.X where that is the public ip address of the remote peer.

So your problem are encryption domains, fix them and change the remote peer object to externally managed vpn gateway.

Regards

fjulianom
Advisor
‎2023-03-22 10:16 AM
In response to RS_Daniel

Hi RS_Daniel,

 

Many thanks for your answer. I will check and let you know.

 

Regards,

Julián

0 Kudos
the_rock
Legend
Legend
‎2023-03-22 10:44 AM
In response to fjulianom

Hey mate,

You can also run vpn tu tlist -p peer_ip command to see what it shows. Did you try running ike debug at all? Is it failing on phase 1 or 2 at the moment? If its phase 2, then as @RS_Daniel , that usually indicated enc domain issue.

Andy

0 Kudos
fjulianom
Advisor
‎2023-04-26 01:34 AM
In response to the_rock

Hi guys,

 

Finally I managed to set up the tunnel between the peers. It run OK for some days, but customer called me and sayed that the tunnel is not steady and had some disconnections. What I have made is to convert this tunnel in a permanent tunnel, and now I can see it in Logs & Monitor > Tunnel & User Monitoring > Permanent Tunnels. Also in SmartLog I can see UDP 4500 logs every 40 seconds between the peers, I guess this is a kind of keepalive to make it permanent. I would like to know if my configuration is OK for permanent tunnel.

This is for CPX 6000 side:

permanent_big.PNG

permanent_big2.PNG

(Not sure what's the meaning of the red dots and grey rectangules...)

 

An this is for CPX 1500 side:

permanent_small.PNG

permanent_small2.PNG

 

I don't find an option in the CPX 6000 to enable DPD... in CPX 1500 is a simple click as you see in the previous image.

 

Thanks in advance,

Julián

0 Kudos
Alex-
Leader Leader
Leader
‎2023-04-26 02:00 AM
In response to fjulianom

Permanent tunnel will use tunnel_test (UDP/18234), if you want to use DPD there are modifications to be done.

Since both systems are CP, you could select the Check Point proprietary method on the Spark side and not DPD.

It's all explained here: Tunnel Management (checkpoint.com)

I believe you can also keep the Permanent tunnel option active for all gateways in the community in your case.

0 Kudos
Tom_Hinoue
Advisor
Advisor
‎2023-03-22 07:51 PM

Did you have a chance to test the instructions in sk109139 ? How to configure Site-to-Site VPN between Locally Managed Embedded GAIA appliance and Centrally Mana...  which is a option to use CAs for VPN between Maintrain Gaia and a locally managed SMB gateway.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events