Hi. I'm trying to setup a site-to-site tunnel between a Check Point R80.40 GW and AWS. On the AWS side the tunnel is showing as 'down' but on the Check Point side, from the logs, I can see that my ICMP traffic is hitting the correct rule and is being encrypted on the correct VPN community.
I've run tcpdump on one of the CP gateways in the cluster and this is what I see:
tcpdump -i any -nn -vv host <AWS GW>
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
11:07:28.736599 IP (tos 0x0, ttl 241, id 65199, offset 0, flags [none], proto UDP (17), length 120)
<AWS GW>.500 > <Check Point Cluster>.500: [udp sum ok] isakmp 1.0 msgid 6fc369b9 cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? inf[E]: [encrypted hash]
11:07:28.737506 IP (tos 0x0, ttl 64, id 30482, offset 0, flags [none], proto UDP (17), length 120)
<Check Point Cluster>.500 > <AWS GW>.500: [udp sum ok] isakmp 1.0 msgid a5d10f01 cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? inf[E]: [encrypted hash]
11:07:29.591773 IP (tos 0x0, ttl 64, id 30546, offset 0, flags [none], proto UDP (17), length 344)
<Check Point Cluster>.500 > <AWS GW>.500: [udp sum ok] isakmp 1.0 msgid 660a55b6 cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? oakley-quick[E]: [encrypted hash]
11:07:29.595391 IP (tos 0x0, ttl 241, id 65316, offset 0, flags [none], proto UDP (17), length 344)
<AWS GW>.500 > <Check Point Cluster>.500: [udp sum ok] isakmp 1.0 msgid 660a55b6 cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? oakley-quick[E]: [encrypted hash]
11:07:29.596029 IP (tos 0x0, ttl 64, id 30551, offset 0, flags [none], proto UDP (17), length 104)
<Check Point Cluster>.500 > <AWS GW>.500: [udp sum ok] isakmp 1.0 msgid 32e62dad cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? inf[E]: [encrypted hash]
11:07:38.736657 IP (tos 0x0, ttl 241, id 126, offset 0, flags [none], proto UDP (17), length 120)
<AWS GW>.500 > <Check Point Cluster>.500: [udp sum ok] isakmp 1.0 msgid d1211c76 cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? inf[E]: [encrypted hash]
11:07:38.737339 IP (tos 0x0, ttl 64, id 30556, offset 0, flags [none], proto UDP (17), length 120)
<Check Point Cluster>.500 > <AWS GW>.500: [udp sum ok] isakmp 1.0 msgid 912646e3 cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? inf[E]: [encrypted hash]
11:07:48.736780 IP (tos 0x0, ttl 241, id 2055, offset 0, flags [none], proto UDP (17), length 120)
<AWS GW>.500 > <Check Point Cluster>.500: [udp sum ok] isakmp 1.0 msgid dc87b30e cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? inf[E]: [encrypted hash]
11:07:48.737451 IP (tos 0x0, ttl 64, id 36342, offset 0, flags [none], proto UDP (17), length 120)
<Check Point Cluster>.500 > <AWS GW>.500: [udp sum ok] isakmp 1.0 msgid fab0ea35 cookie 8d1c2b0154f48e10->8a05646602b54589: phase 2/others ? inf[E]: [encrypted hash]
I'm not seeing any ESP packets going over the tunnel so it looks like the tunnel is failing to be created, though I could be wrong on this.
Output from fwmonitor:
[vs_0][fw_1] eth1:o[40]: <Check Point GW1> -> <AWS GW> (UDP) len=40 id=46913
UDP: 62100 -> 18234
[vs_0][fw_1] eth1:O[40]: <Check Point GW1> -> <AWS GW> (UDP) len=40 id=46913
UDP: 62100 -> 18234
[vs_0][fw_1] eth1:Oe[40]: <Check Point GW1> -> <AWS GW> (UDP) len=40 id=46913
UDP: 62100 -> 18234
[vs_0][fw_0] eth1:i[44]: <AWS GW> -> <Check Point Cluster> (UDP) len=124 id=1197
UDP: 4500 -> 4500
[vs_0][fw_0] eth1:I[44]: <AWS GW> -> <Check Point GW1> (UDP) len=124 id=1197
UDP: 4500 -> 4500
It seems a bit strange that the last but one packet was sent to the cluster VIP but the others were sent to the active firewall in the cluster.
I'm not sure where exactly it's failing as I've followed the same procedure before for a tunnel to AWS (though this is my first time configuring on the AWS side). Any ideas would be hugely appreciated.