This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mk_83
Collaborator
‎2024-12-28 10:36 AM

Methods to Reset Site-to-Site IPSec VPN tunnel

Hello everyone,

Appliance: 9100 - Standalone - R81.20

I am having VPN tunnel DOWN and have to reboot the device to resolve the VPN tunnel to UP. So, I just want to ask if there is a way to reset VPN tunnel instead of using SmartView Monitor, vpn tu?
Cause my GW don't have SmartEvent/Monitoring Licenses so I can't reset VPN tunnel in SmartView Monitor; and when using vpn tu to delete IPSec SAs/IKE, it didn't recover.

Thanks & Best Regards.

0 Kudos
17 Replies
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2024-12-28 11:05 AM

Consider using Permanent Tunnels to improve the reliability of the tunnels:

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/T... 

"As companies have become more dependent on VPNs for communication to other sites, uninterrupted connectivity has become more crucial than ever before. Therefore it is essential to make sure that the VPN tunnels are kept up and running. Permanent Tunnels are constantly kept active and as a result, make it easier to recognize malfunctions and connectivity problems. Administrators can monitor the two sides of a VPN tunnel and identify problems without delay."

0 Kudos
AlekzNet
Contributor
‎2024-12-28 04:07 PM
In response to Tal_Paz-Fridman

> https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/T... 

> Standalone - R81.20

😉

> Consider using Permanent Tunnels to improve the reliability of the tunnels:

Allowing DPD will not help if the tunnel does not establish correctly to begin with (provided there is some traffic between the enc domains).

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-12-28 12:48 PM

Best way I know of to truly reset vpn tunnel is remove cp gw from vpn community, push policy, add it back, push policy again.

Andy

0 Kudos
AlekzNet
Contributor
‎2024-12-28 03:53 PM
In response to the_rock

.. just make sure you still know the correct PSK, because you will have to enter it again ..

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-12-28 04:00 PM
In response to AlekzNet

I dont believe thats needed if you remove cp object, ONLY interoperable one.

0 Kudos
AlekzNet
Contributor
‎2024-12-28 04:22 PM
In response to the_rock

Try this in the lab 😉 And how do you know, that "the other side" is a CheckPoint?

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-12-28 04:24 PM
In response to AlekzNet

I tried it at least 50 times lol

0 Kudos
AlekzNet
Contributor
‎2024-12-28 04:26 PM
In response to the_rock

#metoo  and every time the PSK disappeared. In any case, I would first make sure the correct PSK is known.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-12-28 04:30 PM
In response to AlekzNet

Im positive you would have deleted interoperable object, as there is nowhere you can put PSK on CP object in the community.

But, I agree, always good idea to know PSK.

Andy

0 Kudos
AlekzNet
Contributor
‎2024-12-28 04:53 PM
In response to the_rock

You mean if both CP FWs are managed by the same Mgmt station, right? And if it's a 3d party company?

 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-12-28 04:57 PM
In response to AlekzNet

I mean one CP and other one 3rd party. In such case, other object has to be presented as interoperable object.

Andy

0 Kudos
AlekzNet
Contributor
‎2024-12-28 05:04 PM
In response to the_rock

Exactly! That's why you need to know the PSK 😊

From the the original post it's not clear what "the other side" is and who controls it. So, in this case, the PSK *must* be mentioned.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-12-28 05:08 PM
In response to AlekzNet

But what Im saying is if you delete cp object and add it back, you dont need to know psk 🙂

You only need to know it if you delete interoperable object and put it back in the community.

Hope thats clear now?

Andy

0 Kudos
AlekzNet
Contributor
‎2024-12-28 05:13 PM
In response to the_rock

In this case yes, indeed. I interpreted it a bit wider and "looser" - the object is a CP device managed by a 3d party. So, a misunderstanding on my part 😊

the_rock
MVP Gold
MVP Gold
‎2024-12-28 05:15 PM
In response to AlekzNet

Glad we are in agreement 🙂

0 Kudos
AlekzNet
Contributor
‎2024-12-28 04:03 PM

>  when using vpn tu to delete IPSec SAs/IKE, it didn't recover.

Then there is a problem with the VPN configuration. To troubleshoot further , additional information is needed.

E.g. which Phase is failing?

what does "vpn tu list peer_ipsec <peer_IP>" show?

What do you see in tcpdump on the external interface of the firewall? tcpdump -nnni <ext_iface> host <peer_IP>

What do you see in the FW logs for the <peer_IP>?

What does "the other side" see in their logs?

Next step is to allow IKE debugging. Keep in mind, in R81.20 iked is multithreaded, so the IKE debug info can go into any of the /etc/fw/log/iked?.* file, and there is no corresponding ikeview utility anymore to conveniently "decipher" these files.

Lesley
MVP Gold
MVP Gold
‎2024-12-30 10:45 AM

There are no more ways then this, so indeed reboot or vpn tu.

Policy push can force rekey, it is not a reset but sometimes it can trigger stuff. 

-------
Please press "Accept as Solution" if my post solved it 🙂

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events