Methods to Reset Site-to-Site IPSec VPN tunnel

Mk_83

Hello everyone,

Appliance: 9100 - Standalone - R81.20

I am having VPN tunnel DOWN and have to reboot the device to resolve the VPN tunnel to UP. So, I just want to ask if there is a way to reset VPN tunnel instead of using SmartView Monitor, vpn tu?
Cause my GW don't have SmartEvent/Monitoring Licenses so I can't reset VPN tunnel in SmartView Monitor; and when using vpn tu to delete IPSec SAs/IKE, it didn't recover.

Thanks & Best Regards.

Tal_Paz-Fridman

Consider using Permanent Tunnels to improve the reliability of the tunnels:

https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/T...

"As companies have become more dependent on VPNs for communication to other sites, uninterrupted connectivity has become more crucial than ever before. Therefore it is essential to make sure that the VPN tunnels are kept up and running. Permanent Tunnels are constantly kept active and as a result, make it easier to recognize malfunctions and connectivity problems. Administrators can monitor the two sides of a VPN tunnel and identify problems without delay."

AlekzNet

> https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/T...

> Standalone - R81.20

😉

> Consider using Permanent Tunnels to improve the reliability of the tunnels:

Allowing DPD will not help if the tunnel does not establish correctly to begin with (provided there is some traffic between the enc domains).

the_rock

Best way I know of to truly reset vpn tunnel is remove cp gw from vpn community, push policy, add it back, push policy again.

Andy

AlekzNet

.. just make sure you still know the correct PSK, because you will have to enter it again ..

the_rock

I dont believe thats needed if you remove cp object, ONLY interoperable one.

AlekzNet

Try this in the lab 😉 And how do you know, that "the other side" is a CheckPoint?

the_rock

I tried it at least 50 times lol

AlekzNet

#metoo and every time the PSK disappeared. In any case, I would first make sure the correct PSK is known.

the_rock

Im positive you would have deleted interoperable object, as there is nowhere you can put PSK on CP object in the community.

But, I agree, always good idea to know PSK.

Andy

AlekzNet

You mean if both CP FWs are managed by the same Mgmt station, right? And if it's a 3d party company?

the_rock

I mean one CP and other one 3rd party. In such case, other object has to be presented as interoperable object.

Andy

AlekzNet

Exactly! That's why you need to know the PSK 😊

From the the original post it's not clear what "the other side" is and who controls it. So, in this case, the PSK *must* be mentioned.

the_rock

But what Im saying is if you delete cp object and add it back, you dont need to know psk 🙂

You only need to know it if you delete interoperable object and put it back in the community.

Hope thats clear now?

Andy

AlekzNet

In this case yes, indeed. I interpreted it a bit wider and "looser" - the object is a CP device managed by a 3d party. So, a misunderstanding on my part 😊

the_rock

Glad we are in agreement 🙂

AlekzNet

> when using vpn tu to delete IPSec SAs/IKE, it didn't recover.

Then there is a problem with the VPN configuration. To troubleshoot further , additional information is needed.

E.g. which Phase is failing?

what does "vpn tu list peer_ipsec <peer_IP>" show?

What do you see in tcpdump on the external interface of the firewall? tcpdump -nnni <ext_iface> host <peer_IP>

What do you see in the FW logs for the <peer_IP>?

What does "the other side" see in their logs?

Next step is to allow IKE debugging. Keep in mind, in R81.20 iked is multithreaded, so the IKE debug info can go into any of the /etc/fw/log/iked?.* file, and there is no corresponding ikeview utility anymore to conveniently "decipher" these files.

Are you a member of CheckMates?

Methods to Reset Site-to-Site IPSec VPN tunnel