This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Teddy_Brewski
Advisor
‎2021-11-01 03:36 AM

IKEv2 VPN between OPNsense and Check Point

Hello,

Anyone here with successful IKEv2 IPSec tunnel between OPNsense and Check Point?  If I'm not wrong OPNsense runs some variant of *swan IPsec (strongSwan?).

I'm trying to connect OPNsense box running the latest 21.7.3 with Check Point R77.30 without any luck. The tunnel seems to establish fine -- no errors on both sides and they both agree on encryption parameters and encryption domains but I can't see any traffic arriving via the tunnel on the destination server at the Check Point site.

I have no issues whatsoever with IKEv1 -- the tunnel works without any problems with the same parameters.

There is nothing special in terms of configuration: both Phase 1 and 2 are AES-256/SHA1/Group2.VPN

Any hints would be greatly appreciated.

 

0 Kudos
(1)
6 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2021-11-01 06:52 AM

R77.30 (which JHF version?) is no longer supported, please consider upgrading to a later version such as R80.40 or above.

https://www.checkpoint.com/support-services/support-life-cycle-policy/

CCSM R77/R80/ELITE
0 Kudos
Thomas_Eichelbu
Advisor
Advisor
‎2022-02-23 04:48 AM

Hello, 


i just had the same issue, due lack of time we couldn´t dive deeper into it. But no luck with IKEv2.
On CP side it always seems to work a tunnel was up.
SmartView Monitor said OK
"vpn tu tlist" said UP
Check Point seems to be able to send packets into the tunnel, but they were not received on OpenSense side.
Otherway around same issue. 


but i received message like this in SmartLog

"Auth exchange: Sending notification to peer: Invalid syntax"


regarding 
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
it should have to do with "Change Tunnel Management in Community from "One Tunnel Per Subnet Pair" to "One Tunnel Per Gateway Pair""
but no time to test it ...

changing to IKEv1 made it work.

plattform was  R81 + Take 23 plus "Encryption Domain Per community" feature.

perhaps someone go it running with IKEv2?

best regards

and also, R77.30 is end of everythig.

 

(1)
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-02-23 05:52 AM

Starting R80.10, this is possible: sk118536: VPN Site to Site with StrongSwan fails

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Thomas_Eichelbu
Advisor
Advisor
‎2022-02-23 06:57 AM
In response to G_W_Albrecht

wow cool!

i love this kernel parameter right from the start

“fw ctl set int strongswan_bug_workaround 1”

i still need the IT guy from the remote site ... then i can try it again with IKEv2!

thank you!

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2022-02-23 06:01 AM

Ok, lets forget the fact you are using R77.30, yes, we all know its unsupported and it has been for long time, but lets see if we can help you out. So, here is my thinking, logically...

So, if if tunnel is up, that tells us that both phase 1 and 2 are correct, for sure. Now, if you say this only happens with ikev2 and not ikev1, can you run quick vpn debug while generating traffic and gather ike files from $FWDIR/log directory on the firewall, as well as vpnd.elg

Just turn on debug by running vpn debug ikeon, generate some traffic, wait couple of minutes and run vpn debug ikeoff to turn debug off.

If you could email me the stuff directly with any relevant IP addresses, I can check it later to see what could be going on. I definitely remember having ikev2 tunnels work back in R77.30...not often, but it did work, for sure.

Best,
Andy
AaronCP
Advisor
Advisor
‎2022-02-23 01:10 PM

As @the_rock mentioned, running VPN debugs will definitely give you deeper insights into what is happening with the VPN tunnel. SK33327 gives a very good explanation of how to run the debugs. You can use the IKEView tool to open the vpnd.elg & ikev2.xmll files for further analysis/troubleshooting.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events