Re: IPsec S2S VPN issue - IKEV2

Nandhakumar · ‎2021-11-16

Hi,

Our side gateway - Checkpoint R81

Remote side gateway - Cisco ASR

We built tunnel to remote side and it was working fine for some days and it stopped working since last 3 days. I have checked logs in smart console and observed peer is getting authenticated successfully. After that our gateway sending reject message with "Informational exchange: Exchange failed: timeout reached".

Can someone please advise here, what can we check in this case from our side to make sure nothing caused block from checkpoint end.

PhoneBoy · ‎2021-11-19

Might try: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Nandhakumar · ‎2021-11-20

No my issue was not related to that one.

In S2S VPN, Checkpoint negotiating internal IP address as IKE ID to remote side but actually it should negioate with external internet facing IP address.

Even after we have chosen Link selection to use external IP address, still it use internal one. This was observed at remote side network engineer and after he changed remote identity match from actual our gateway external IP to our gateway internal IP, it started working fine.

After 4 months, customer told that VPN connection was stopped working and this was happened just after we installed R81 hotfix take 36. Vendor side engineer checked and confirmed that he now could see IKE ID as our gateway external IP address. Even though this would be correct way, I am wondering how it switching between internal or external IP address?

the_rock · ‎2021-11-20

If you were to run this command on your gateway, what do you see:

tcpdump -nni any host x.x.x.x and proto 50

where x.x.x.x is external remote IP address

Are you a member of CheckMates?

IPsec S2S VPN issue - IKEV2