Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michalis89
Contributor

2 Tunnels (Active - Backup ) inside the same Site-to-Site VPN community

Hi Checkmates,

I am facing a problem with a Site-to-Site VPN with AWS and i want your help.

I have established a Site-to-Site VPN with AWS and i have 2 Satellite Gateways acting as Primary - Backup.

The problem is that the VPN connectivity is continuously dropping and from AWS they told us that my Checkpoint Gateway is sending a delete of the IPSEC Phase 2 SAs. This also happens just after a successful phase 1 renegotiation. When AWS receives a request to delete the SA, the request is honored. Tunnel is restored after CGW eventually sends a request to negotiate Phase2.

I have already see all the vpnd logs and ike.elg but i am not seeing something that could help me.

 

Do you know if Checkpoint can cause this problem because is trying to send the traffic at both tunnels in the same time;

Do you know how Checkpoint handles the traffic selection when you have two remote peers inside the same Site-to-Site VPN with the same encryption domain;

 

Thank you!

0 Kudos
9 Replies
Chris_Atkinson
Employee Employee
Employee

Start with sk108600 scenario 4.

Please also confirm your DPD settings and if the problem also presents after installing policy see also sk142355.

CCSM R77/R80/ELITE
Michalis89
Contributor

Thank you very much Chris for your help!! Indeed i cheched the value ike_keep_child_sa_interop_devices and i found that it was set to false after the upgrade to R81.10.

We opened a ticket our Contractor in order to arrange a maintenance windows in order to change this value.

I will inform you after the action is completed and if the problem resolved

0 Kudos
Duane_Toler
Advisor

Hey @Michalis89 

I had an issue that sounds like yours with AWS VPNs in R80.30 and R80.40.  Working with a TAC escalation engineer (and suggestion @Chris_Atkinson  for sk142355), I enabled "keep_IKE_SAs" in the Global Properties "scary place" in that SK.

I also ran a VPN debug at the same time, and see the message in the debug output:

[vpnd .... [29 Mar 18:48:41] CachedObject::istrue: Cache miss: keep_IKE_SAs: true (1)

Good luck!

 

PS: i call it the "scary place" when I tell customers so they won't go traipsing through it cavalierly 🙂

0 Kudos
Michalis89
Contributor

Hi Duane and Thank you for your reply! I totally agree with you with the "scary place" 😄
We have already enable the option "keep_IKE_SAs" in the Global Properties in order to set the Checkpoint as a DPD responder.

We also make the action that @Chris_Atkinson mentioned and we set the value of ike_keep_child_sa_interop_devices to true but nothing changed. The tunnels towards AWS are not stable.

 

After a lot of investigation i think that the solution to the problem is to set VTU Tunnels towards AWS. This is the only way to support Active - Backup Site-to-Site VPN tunnels inside the same VPN community.

The only drawback at this solution is that VTI Tunnels supported only from R81 and above. 

0 Kudos
Duane_Toler
Advisor

AH!  Are you doing it as 'domain-based' VPN or 'route-based' VPN?   My customer AWS VPN is route-based VPN (albeit with static routes).  The interoperable object has a VPN domain with a group object that is empty (no group members).

 

AWS has the VPN template you can download and follow the config samples in their document.  You have to do their template because when you download it, they supply the local/remote IPv4 addresses for your VPN tunnel CLISH commands.  It'll be 169.254.xxx.yyy

Then do static-route for the remote LAN behind the AWS gateways.  In your security policy, you'll use VPN directional matches for traffic to/from the AWS VPN domain.  In the community, you'll have DPD with Permanent Tunnels.

 

With this setup, I see in my VPN debug the "DPD_R_U_THERE" and "DPD_ACK" IKE messages.  This is on R80.30, too.

As weird as it seems, the AWS template had the perfect config for it.  I was surprised. 🙂

 

 

0 Kudos
Michalis89
Contributor

Hi Duane, we have already done all of the above but with Domain-based VPN.

Unfortunately we have to upgrade to R81 version and higher in order to make this configuration stable for our VSX environment.

0 Kudos
Juan_
Collaborator

Hi,

VTI is supported on R80.X.

And yes, AWS VPNs are normally confiugred with VTI + Routing

0 Kudos
Michalis89
Contributor

Hi Juan,

Based on the below sk(sk79700) for VSX environments the VTI feature is supported from R81 version and later.

VSX supported features (checkpoint.com)

I believe the only solution is to upgrade my gateways to R81.10 and configure the specific Site-to-Site VPN VPN community with VTI and Routed Mode

0 Kudos
Duane_Toler
Advisor

Oh. VSX.  Yeah that's different. 😞   "add vpn tunnel" is not a CLISH command in VSX (as of R80.40).  You'll need R81+ indeed.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events