Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Teddy_Brewski
Contributor

IKEv2 VPN between OPNsense and Check Point

Hello,

Anyone here with successful IKEv2 IPSec tunnel between OPNsense and Check Point?  If I'm not wrong OPNsense runs some variant of *swan IPsec (strongSwan?).

I'm trying to connect OPNsense box running the latest 21.7.3 with Check Point R77.30 without any luck. The tunnel seems to establish fine -- no errors on both sides and they both agree on encryption parameters and encryption domains but I can't see any traffic arriving via the tunnel on the destination server at the Check Point site.

I have no issues whatsoever with IKEv1 -- the tunnel works without any problems with the same parameters.

There is nothing special in terms of configuration: both Phase 1 and 2 are AES-256/SHA1/Group2.VPN

Any hints would be greatly appreciated.

 

0 Kudos
6 Replies
Chris_Atkinson
Employee
Employee

R77.30 (which JHF version?) is no longer supported, please consider upgrading to a later version such as R80.40 or above.

https://www.checkpoint.com/support-services/support-life-cycle-policy/

0 Kudos
Thomas_Eichelbu
Advisor

Hello, 


i just had the same issue, due lack of time we couldn´t dive deeper into it. But no luck with IKEv2.
On CP side it always seems to work a tunnel was up.
SmartView Monitor said OK
"vpn tu tlist" said UP
Check Point seems to be able to send packets into the tunnel, but they were not received on OpenSense side.
Otherway around same issue. 


but i received message like this in SmartLog

"Auth exchange: Sending notification to peer: Invalid syntax"


regarding 
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
it should have to do with "Change Tunnel Management in Community from "One Tunnel Per Subnet Pair" to "One Tunnel Per Gateway Pair""
but no time to test it ...

changing to IKEv1 made it work.

plattform was  R81 + Take 23 plus "Encryption Domain Per community" feature.

perhaps someone go it running with IKEv2?

best regards

and also, R77.30 is end of everythig.

 

0 Kudos
G_W_Albrecht
Legend
Legend

Starting R80.10, this is possible: sk118536: VPN Site to Site with StrongSwan fails

CCSE CCTE SMB Specialist
Thomas_Eichelbu
Advisor

wow cool!

i love this kernel parameter right from the start

“fw ctl set int strongswan_bug_workaround 1”

i still need the IT guy from the remote site ... then i can try it again with IKEv2!

thank you!

0 Kudos
the_rock
Champion
Champion

Ok, lets forget the fact you are using R77.30, yes, we all know its unsupported and it has been for long time, but lets see if we can help you out. So, here is my thinking, logically...

So, if if tunnel is up, that tells us that both phase 1 and 2 are correct, for sure. Now, if you say this only happens with ikev2 and not ikev1, can you run quick vpn debug while generating traffic and gather ike files from $FWDIR/log directory on the firewall, as well as vpnd.elg

Just turn on debug by running vpn debug ikeon, generate some traffic, wait couple of minutes and run vpn debug ikeoff to turn debug off.

If you could email me the stuff directly with any relevant IP addresses, I can check it later to see what could be going on. I definitely remember having ikev2 tunnels work back in R77.30...not often, but it did work, for sure.

AaronCP
Contributor

As @the_rock mentioned, running VPN debugs will definitely give you deeper insights into what is happening with the VPN tunnel. SK33327 gives a very good explanation of how to run the debugs. You can use the IKEView tool to open the vpnd.elg & ikev2.xmll files for further analysis/troubleshooting.

0 Kudos