Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wyman
Contributor

AWS Tunnel Troubleshooting

Hi. I'm trying to setup a site-to-site tunnel between a Check Point R80.40 GW and AWS. On the AWS side the tunnel is showing as 'down' but on the Check Point side, from the logs, I can see that my ICMP traffic is hitting the correct rule and is being encrypted on the correct VPN community. 

I've run tcpdump on one of the CP gateways in the cluster and this is what I see:

tcpdump -i any -nn -vv host <AWS GW>
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:07:28.736599 IP (tos 0x0, ttl 241, id 65199, offset 0, flags [none], proto UDP (17), length 120)
<AWS GW>.500 > <Check Point Cluster>.500: [udp sum ok] isakmp 1.0 msgid 6fc369b9 cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? inf[E]: [encrypted hash]
11:07:28.737506 IP (tos 0x0, ttl 64, id 30482, offset 0, flags [none], proto UDP (17), length 120)
<Check Point Cluster>.500 > <AWS GW>.500: [udp sum ok] isakmp 1.0 msgid a5d10f01 cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? inf[E]: [encrypted hash]
11:07:29.591773 IP (tos 0x0, ttl 64, id 30546, offset 0, flags [none], proto UDP (17), length 344)
<Check Point Cluster>.500 > <AWS GW>.500: [udp sum ok] isakmp 1.0 msgid 660a55b6 cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? oakley-quick[E]: [encrypted hash]
11:07:29.595391 IP (tos 0x0, ttl 241, id 65316, offset 0, flags [none], proto UDP (17), length 344)
<AWS GW>.500 > <Check Point Cluster>.500: [udp sum ok] isakmp 1.0 msgid 660a55b6 cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? oakley-quick[E]: [encrypted hash]
11:07:29.596029 IP (tos 0x0, ttl 64, id 30551, offset 0, flags [none], proto UDP (17), length 104)
<Check Point Cluster>.500 > <AWS GW>.500: [udp sum ok] isakmp 1.0 msgid 32e62dad cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? inf[E]: [encrypted hash]
11:07:38.736657 IP (tos 0x0, ttl 241, id 126, offset 0, flags [none], proto UDP (17), length 120)
<AWS GW>.500 > <Check Point Cluster>.500: [udp sum ok] isakmp 1.0 msgid d1211c76 cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? inf[E]: [encrypted hash]
11:07:38.737339 IP (tos 0x0, ttl 64, id 30556, offset 0, flags [none], proto UDP (17), length 120)
<Check Point Cluster>.500 > <AWS GW>.500: [udp sum ok] isakmp 1.0 msgid 912646e3 cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? inf[E]: [encrypted hash]
11:07:48.736780 IP (tos 0x0, ttl 241, id 2055, offset 0, flags [none], proto UDP (17), length 120)
<AWS GW>.500 > <Check Point Cluster>.500: [udp sum ok] isakmp 1.0 msgid dc87b30e cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? inf[E]: [encrypted hash]
11:07:48.737451 IP (tos 0x0, ttl 64, id 36342, offset 0, flags [none], proto UDP (17), length 120)
<Check Point Cluster>.500 > <AWS GW>.500: [udp sum ok] isakmp 1.0 msgid fab0ea35 cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? inf[E]: [encrypted hash]

I'm not seeing any ESP packets going over the tunnel so it looks like the tunnel is failing to be created, though I could be wrong on this. 

Output from fwmonitor:

[vs_0][fw_1] eth1:o[40]: <Check Point GW1> -> <AWS GW> (UDP) len=40 id=46913
UDP: 62100 -> 18234
[vs_0][fw_1] eth1:O[40]: <Check Point GW1> -> <AWS GW> (UDP) len=40 id=46913
UDP: 62100 -> 18234
[vs_0][fw_1] eth1:Oe[40]: <Check Point GW1> -> <AWS GW> (UDP) len=40 id=46913
UDP: 62100 -> 18234
[vs_0][fw_0] eth1:i[44]: <AWS GW> -> <Check Point Cluster> (UDP) len=124 id=1197
UDP: 4500 -> 4500
[vs_0][fw_0] eth1:I[44]: <AWS GW> -> <Check Point GW1> (UDP) len=124 id=1197
UDP: 4500 -> 4500

It seems a bit strange that the last but one packet was sent to the cluster VIP but the others were sent to the active firewall in the cluster.

I'm not sure where exactly it's failing as I've followed the same procedure before for a tunnel to AWS (though this is my first time configuring on the AWS side). Any ideas would be hugely appreciated.

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

0 Kudos
Timothy_Hall
Champion
Champion

It looks like you are using IKEv1 and Phase 1 is completing, but Phase 2 is failing.  This could be due to a Proxy-ID/subnet mismatch in Phase 2, but upon closer inspection the issue appears to be the AWS side is switching into NAT Traversal mode (UDP 4500) while the Check Point is not.  Is there intervening NAT occurring between the two peers?  Somewhat unusual for site-to-site VPNs but not unheard of.

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos