Re: IPsec between two Windows Server, Checkpoint M...

fourcly · ‎2025-04-03

Hi everyone,

We currently have the problem that an IPsec connection between two Windows servers is not working due to our Checkpoint Maestro Cluster. If we hang the server in front of the Checkpoint, the IPsec works without a problem, has anyone here had any experience with this?

In Wireshark I see many Identity Protection (Main Mode) packets in a row. There are also a lot of "Unknown packets" (243,244,246)

No NAT is active on our firewall and we have no other VPN tunnels running

Could this be a MTU/MSS problem?

Thank you for your help!

Paul

the_rock · ‎2025-04-04

Hey Paul,

If you do vpn tu and check option to list the tunnel by phase 1 or 2, option 3 and 4, what do you see?

[Expert@CP-GW:0]# vpn tu

********** Select Option **********

(1) List all IKE SAs
(2) * List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) * List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users

* To list data for a specific CoreXL instance, append "-i <instance number>" to your selection.

(Q) Quit

*******************************************

Also, what if you try below?

vpn tu list peer_ike peer-ip and same command with peer_ipsec

Alternatively, do basic debug:

vpn debug trunc

vpn debug ikeon

-generate traffic

vpn debug ikeoff

Check vpnd and iked files in $FWDIR/log dir

Andy

fourcly · ‎2025-04-14

Hi @the_rock

sorry for the late reply, I was on vacation.

unfortunately, this is not a VPN tunnel on the checkpoint itself, but IPsec encrypted traffic between two servers with the checkpoint in between. There are no VPN tunnels running on the Checkpoint itself.

Paul

the_rock · ‎2025-04-14

K, no worries. Hope you had nice vacation : - )

Anyway, in that case, all you need to make sure is that CP is allowing the traffic to pass through, thats it.

Andy

fourcly · ‎2025-04-14

Thank you, everything was fine!

We have a firewall rule that allows all traffic, everything is also allowed in the log. However, no connection is established when testing. If we put the server in front of the checkpoint so that it no longer takes over the routing, everything works.

Paul

the_rock · ‎2025-04-14

Do you even see phase 1 form or nothing at all?

Andy

PhoneBoy · ‎2025-04-14

Is the IPsec VPN blade enabled here?
I know this VPN is not terminating in the device, but I know IPsec code is handled as part of Implied Rules and something may be causing an issue.
I suspect TAC may be necessary to troubleshoot.

Lesley · ‎2025-04-14

You see any drops on the Maestro firewalls?

fw ctl zdebug + drop | grep <IP>

What version? cpinfo -y all

What ports have you allowed? Think of: ESP, ike 500 upd-4500

-------
If you like this post please give a thumbs up(kudo)! 🙂

Are you a member of CheckMates?

IPsec between two Windows Server, Checkpoint Maestro in between