This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
StackCap43382
Collaborator
Collaborator
‎2021-01-08 08:12 AM
Jump to solution

How to configure S2S VPN Responder Only?

Hi All,

Have a bit of a strange issue I'm hoping someone has an answer for.

Basically we have a situation where there is a 3rd party NAT device breaking VPN connectivity to a peer.

If the peer initiates the tunnel then the VPN comes up

If our side attempts it then it all goes wrong.

There is 0% chance of any config changes to the remote peer side so we are stuck with this.

There are also other VPNS terminating on our Check Points.

A fudge-fix is to stop our side attempting to bring up the tunnel and respond only but I cant find any articles how to do this on a Check Point.

 

Can anyone point me to a relevant article?

Is Responder Mode supported on a Check Point?

Is if it is it global or can it be peer-limited?

 

Cheers

 

 

 

CCSME, CCTE, CCME, CCVS
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2021-01-08 05:30 PM
Jump to solution

  • IKE Initiation Prevention - By default, when a valid IKE SA is not available, a DPD request message triggers a new IKE negotiation. To prevent this behavior, set the property dpd_allowed_to_init_ike to false.

    Edit the property in GuiDBedit Tool (see sk13009) > Network Objects > network_objects > <gateway Name> > VPN.

View solution in original post

StackCap43382
Collaborator
Collaborator
‎2021-01-12 03:15 AM
Jump to solution

Hi All,

DAIP object is the answer:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

By configuring the 3rd party as a DIAP we force the Check Point to responder mode only. 

CCSME, CCTE, CCME, CCVS

View solution in original post

7 Replies
Jose_Manuel_Gar
Participant
‎2021-01-08 09:43 AM
Jump to solution

Hello,

There is an sk that works with DAIP SMB devices. It's SK101911. Not sure if it works with 3rd party peers but you can try.

 

Best regards

PhoneBoy
Admin
Admin
‎2021-01-08 05:30 PM
Jump to solution

  • IKE Initiation Prevention - By default, when a valid IKE SA is not available, a DPD request message triggers a new IKE negotiation. To prevent this behavior, set the property dpd_allowed_to_init_ike to false.

    Edit the property in GuiDBedit Tool (see sk13009) > Network Objects > network_objects > <gateway Name> > VPN.

Juan_
Collaborator
‎2021-02-03 04:55 AM
In response to PhoneBoy
Jump to solution

Hi Dameon,

Regarding S2S Responder Only.  Would it be an option to increase P1 lifetime just on ckp side?

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

According to this sk at least.

All my engineer life i've tried to match both values on both ends but it seems now to be a value only valid locally?

Or maybe is it just for IkeV2 implementations?

 

 

 

Azure also states:

https://docs.microsoft.com/en-us/azure/vpn-gateway/ipsec-ike-policy-howto

"The SA lifetimes are local specifications only, do not need to match."

0 Kudos
PhoneBoy
Admin
Admin
‎2021-02-03 09:39 PM
In response to Juan_
Jump to solution

I would say: try it and report back.
Yes, historically we've suggested that VPN parameters should match, and in some cases they need to.

0 Kudos
raj_p
Explorer
‎2024-05-14 12:24 AM
In response to PhoneBoy
Jump to solution

Hi,

 We are also facing the same issue with our VPN.

Is the property change "dpd_allowed_to_init_ike to false." specific to a peer or is it global?



0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-14 02:47 PM
In response to raj_p
Jump to solution

It is specific to the peer on which it is configured in GUIdbedit.

0 Kudos
StackCap43382
Collaborator
Collaborator
‎2021-01-12 03:15 AM
Jump to solution

Hi All,

DAIP object is the answer:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

By configuring the 3rd party as a DIAP we force the Check Point to responder mode only. 

CCSME, CCTE, CCME, CCVS

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events