Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ThomasPP
Explorer

Issue with VPN between Checkpoint and AWS

Hello

We are building a route based site-to-site VPN between our Checkpoint cluster (Check Point Gaia R81.10 - 15600) and AWS (tenant belonging to our partner).

Both phases are up but there is no traffic between VTI addresses (ping is not working but encrypted on Checkpoint side)

We've got errors like in the console :  : 

Child SA exchange: Peer's message is unacceptable

and fw ctl zdebug drop shows : 

@;294556582;[cpu_6];[fw4_19];fw_log_drop_ex: Packet proto=6 169.254.131.30:35776 -> 169.254.131.29:179 dropped by fw_ipsec_encrypt_on_tunnel_instance Reason: No error - tunnel is not yet established;
@;294556582;[cpu_12];[fw4_7];fw_log_drop_ex: Packet proto=6 169.254.151.30:41589 -> 169.254.151.29:179 dropped by fw_ipsec_encrypt_on_tunnel_instance Reason: No error - tunnel is not yet established;

We also noticed these logs :

 [vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv4: Traffic selector has been narrowed. Here's what's left (4 addresses)
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2]        --- 185.XXX.YYY.0 - 185.XXX.YYY.3
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv6: calculate all ranges
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv6: proto: 0, port range: All Ports
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv6: calculate ranges for ts 0
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv6: proto: 0, port range: All Ports
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv6: trying to match peer range 0: 185.XXX.YYY.0 - 185.XXX.YYY.3 against 0 policy ranges
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv6: Could not match traffic selector 1 (<185.XXX.YYY.0 - 185.XXX.YYY.3>)
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv6: Could not match any selectors
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify: returns true
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::getContainingTS: looking for a ts that contains <169.254.131.30 ; TCP ; 179>
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv4: checking range: 185.XXX.YYY.0 - 185.XXX.YYY.6
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv4: added range: 185.XXX.YYY.0 - 185.XXX.YYY.3
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv4: checking range:185.XXX.YYY.0 - 185.XXX.YYY.3
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv4: added range: 185.XXX.YYY.0 - 185.XXX.YYY.3
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::getContainingTS: Try specific protocol/port (6/179) num_range: 1. addresses in ranges: 4 (4)
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::getContainingTS: Returning empty TS. Proto: 6
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] ikeChildSAExchange_i::validateTSiPayload: empty traffic selector.
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] Exchange::processPayloads: problem processing payload no. 4 of type TS-i payload
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] Exchange::processPayloads: processPayloads returning initial status
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] Exchange::setStatus: Changing status from: initial to: failure (final)..
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] Exchange::setLog: Setting log message:
Peer's message is unacceptable..

Do you have any idea? 

Could it be a mismatch between route based and policy based ? 

 Thank you

Thomas

0 Kudos
9 Replies
PhoneBoy
Admin
Admin

What steps did you follow to configure this?
It’s not necessarily an issue with route versus domain VPN, but it does indicate a configuration mismatch.

0 Kudos
ThomasPP
Explorer

Hello,

We followed the following links :

And our partners sent us the configuration files from AWS.

0 Kudos
the_rock
Legend
Legend

See if below post I made helps. Key here is to MAKE SURE routes are configured in a way I described. If not, traffic will never work. If you need more help, let me know. I know this is for Azure, but exact same method applies to AWS.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

0 Kudos
PhoneBoy
Admin
Admin

In your VPN Community, what do you have configured for Tunnel Sharing?
I believe it should be "one per gateway" as shown below.

image.png

0 Kudos
ThomasPP
Explorer

Hello,

We have configured "one vpn tunnel per Gateway" :

2024-10-03 16_35_14-vm-itm-mgt-3 - Connexion Bureau à distance.png

We are trying to use BGP routing for the first time but it seems that BGP traffic is not flowing through the VPN (it is dropped, see first post) :

@;294556582;[cpu_6];[fw4_19];fw_log_drop_ex: Packet proto=6 169.254.131.30:35776 -> 169.254.131.29:179 dropped by fw_ipsec_encrypt_on_tunnel_instance Reason: No error - tunnel is not yet established;

0 Kudos
the_rock
Legend
Legend

Here is what I had learned doing extensive testing with a colleague for BGP through route based tunnels...key is to use UNNUMBERED vtis for that to work. Why, dont ask me, as I have no clue in the world, but I even mentioned this to TAC once after being on the phone 5 hours troubleshooting the issue.

We actually fixed it in Azure lab the next day.

Andy

0 Kudos
ThomasPP
Explorer

Hello,

Thank you for your reply.

When using unnumbered VTIs, you don't need to set any ip address? In that case, how do you set up BGP peers?

Thomas

0 Kudos
Alex-
Leader Leader
Leader

sk176249 is very well written and while it pertains to Azure VWAN, the concept of route-based VPN with BGP is common to cloud implementations. You can adapt the Azure parts to AWS and it should work.

0 Kudos
the_rock
Legend
Legend

Thats right, thats why its called unnumbered. BGP, you configure it like you normally would.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events