This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
fourcly
Participant
‎2025-04-03 01:55 PM

IPsec between two Windows Server, Checkpoint Maestro in between

Hi everyone,

 

We currently have the problem that an IPsec connection between two Windows servers is not working due to our Checkpoint Maestro Cluster. If we hang the server in front of the Checkpoint, the IPsec works without a problem, has anyone here had any experience with this?

In Wireshark I see many Identity Protection (Main Mode) packets in a row. There are also a lot of "Unknown packets" (243,244,246)

No NAT is active on our firewall and we have no other VPN tunnels running

Could this be a MTU/MSS problem?

 

Thank you for your help!

Paul

Labels
0 Kudos
7 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-04-04 10:15 AM

Hey Paul,

If you do vpn tu and check option to list the tunnel by phase 1 or 2, option 3 and 4, what do you see?

[Expert@CP-GW:0]# vpn tu

********** Select Option **********

(1) List all IKE SAs
(2) * List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) * List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

* To list data for a specific CoreXL instance, append "-i <instance number>" to your selection.

(Q) Quit

*******************************************

Also, what if you try below?

vpn tu list peer_ike peer-ip and same command with peer_ipsec

Alternatively, do basic debug:

vpn debug trunc

vpn debug ikeon

-generate traffic

vpn debug ikeoff

Check vpnd and iked files in $FWDIR/log dir

Andy

Best,
Andy
0 Kudos
fourcly
Participant
‎2025-04-14 05:12 AM
In response to the_rock

Hi @the_rock 

 

sorry for the late reply, I was on vacation.

unfortunately, this is not a VPN tunnel on the checkpoint itself, but IPsec encrypted traffic between two servers with the checkpoint in between. There are no VPN tunnels running on the Checkpoint itself.

Paul

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-04-14 05:17 AM
In response to fourcly

K, no worries. Hope you had nice vacation : - )

Anyway, in that case, all you need to make sure is that CP is allowing the traffic to pass through, thats it.

Andy

Best,
Andy
0 Kudos
fourcly
Participant
‎2025-04-14 05:21 AM
In response to the_rock

Thank you, everything was fine!

 

We have a firewall rule that allows all traffic, everything is also allowed in the log. However, no connection is established when testing. If we put the server in front of the checkpoint so that it no longer takes over the routing, everything works.

 

Paul

the_rock
MVP Platinum
MVP Platinum
‎2025-04-14 05:24 AM
In response to fourcly

Do you even see phase 1 form or nothing at all?

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2025-04-14 06:15 AM

Is the IPsec VPN blade enabled here?
I know this VPN is not terminating in the device, but I know IPsec code is handled as part of Implied Rules and something may be causing an issue.
I suspect TAC may be necessary to troubleshoot.

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-04-14 12:10 PM

You see any drops on the Maestro firewalls?

fw ctl zdebug + drop | grep <IP>

What version? cpinfo -y all

What ports have you allowed? Think of: ESP, ike 500 upd-4500

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events