This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
leonid1890
Contributor
‎2023-03-01 05:46 AM
Jump to solution

IPsec VPN Initiator

I have Hub and Spoke Site to Site topology (both managed by same central management).

I am trying to understand, why always only the spoke initiated of tunnel creation?

I never saw that Hub was the initiator.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-03-02 12:27 PM
In response to leonid1890
Jump to solution

As we stated previously, the tunnel only comes up when one end needs to send traffic to the other.
If the traffic largely comes from the satellite, it is normal for the satellite to initiate the VPN tunnel.
The hub will only do if it has traffic for the satellite and the tunnel isn't already up.
This is all expected behavior.

View solution in original post

0 Kudos
9 Replies
_Val_
Admin
Admin
‎2023-03-01 06:31 AM
Jump to solution

VPN tunnels are usually open when one of the parties starts sending traffic to the other VPN domain. If you want them to be always up, set up permanent tunnels in the community properties. 

I can only assume, in your case, it is only satellite sites initiate connections to the main site and not the other way around. 

leonid1890
Contributor
‎2023-03-01 10:50 PM
In response to _Val_
Jump to solution

You right, only satellite sites initiate connections to the main site and not the other way around.
And that what I am trying to understand, why it is not in the opposite?

For example: if I reboot one of satellites, after it came up it will try to initiate the tunnel (and not the HUB).
After the reboot there is no traffic that need to go throug the tunnel.

So on which decision they determine who will start the tunnel initiation?

Note: I don't want the tunnel to be always up,
I am asking this question in order to understand how it is working.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-02 12:27 PM
In response to leonid1890
Jump to solution

As we stated previously, the tunnel only comes up when one end needs to send traffic to the other.
If the traffic largely comes from the satellite, it is normal for the satellite to initiate the VPN tunnel.
The hub will only do if it has traffic for the satellite and the tunnel isn't already up.
This is all expected behavior.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-01 06:33 AM
Jump to solution

A VPN tunnel is only initiated when traffic needs to be sent down the tunnel.
A hub site would only initiate a connection to a spoke when it or a different spoke site have traffic for that particular site.
If a spoke site has a dynamic IP, the spoke must initiate the tunnel to ensure the hub knows what IP to send traffic to.

leonid1890
Contributor
‎2023-03-01 10:55 PM
In response to PhoneBoy
Jump to solution

Let's assume I added new settlite to my current topology,
and there is no traffic which need to be sent down the tunnel
but there is still tunnel created and initiated by settlite.

Maybe there is something is missing from my understanding.

0 Kudos
the_rock
Legend
Legend
‎2023-03-02 03:34 AM
In response to leonid1890
Jump to solution

So without permanent tunnel enabled, the way it works really depends which side initiates the traffic, so regardless where traffic comes from, it would "kick start" the tunnel. I dont believe there is specific mechanism to force hub over spoke to be preferred, as far as I know.

0 Kudos
the_rock
Legend
Legend
‎2023-03-01 06:52 AM
Jump to solution

As the guys said, make sure permanent tunnel option inside vpn community is enabled. Now, here is something to keep in mind. Enabling that is NOT enough on its own. You have to do below changes in guidbedit as well per below link:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VP...

this section (you need DPD value specially if its 3rd party device on the other side)

Permanent Tunnel Mode Based on Dead Peer Detection

DPD can monitor remote peers with the permanent tunnel feature. All related behavior and configurations of permanent tunnels are supported.

To configure DPD for a permanent tunnel, the permanent tunnel must be in the VPN community. After you configure the permanent tunnel, configure Permanent Tunnel mode Based on DPD. There are different possibilities for permanent tunnel mode:

  • tunnel_test (default) - The permanent tunnel is monitored by a tunnel test (as in earlier versions). It works only between Check Point Security Gateways. Keepalive packets are always sent.

  • dpd - The active DPD mode. A peer receives DPD requests at regular intervals (10 seconds). DPD requests are only sent when there is no traffic from the peer.

  • passive - The passive DPD mode. Peers do not send DPD requests to this peer. Tunnels with passive peers are monitored only if there is IPsec traffic and incoming DPD requests.

    Note: To use this mode for only some gateways, enable the forceSendDPDPayload registry key on Check Point remote peers.

To enable DPD monitoring:

On each VPN gateway in the VPN community, configure the tunnel_keepalive_method property, in Database Tool (GuiDBEdit Tool) (see sk13009) or dbedit (see skI3301). This includes 3rd Party gateways. (You cannot configure different monitor mechanisms for the same gateway).

  1. In Database Tool (GuiDBEdit Tool), go to Network Objects > network_objects > <Name of Security Gateways object> > VPN.

  2. For the Value, select a permanent tunnel mode.

  3. Save all the changes.

  4. Install the Access Control Policy.

Optional Configuration:

Timothy_Hall
Legend Legend
Legend
‎2023-03-02 06:27 AM
In response to the_rock
Jump to solution

Starting in R81 if an interoperable device type is part of a VPN Community and Permanent Tunnels is set, the tunnel_keep_alive_method variable will be automatically set to "DPD" instead of "TUNNEL_TEST".  This applies after upgrades as well.  This is mentioned in scenario 5 of sk108600: VPN Site-to-Site with 3rd party.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
(1)
the_rock
Legend
Legend
‎2023-03-02 06:30 AM
In response to Timothy_Hall
Jump to solution

Thanks for pointing that out, never really paid attention to it, good to know!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events