This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Agust
Contributor
‎2025-05-28 11:52 AM

Problem with site Certificate Based VPNs

We currently utilize certificate based VPNs between our main cluster and Fortinet and Starlink appliances.
These devices are installed on moving devices.

We see that the VPNs are established but after a while they go down and we were in logs the different types of errors:

"Main mode local machine configured not to responde to unknow IP address and or not included in the remoteaccess community"

"VPN failed to resolve gateway IP address"

We analyzed the SK related to these issues but we understand that they do not apply to this case.

We were also surprised to see inconsistencies in the IPs we had in the established tunnels when we consulted them through the VPN tu tlist command.

Does anyone have any suggestion of what we could analyze?

0 Kudos
7 Replies
the_rock
MVP Gold
MVP Gold
‎2025-05-28 12:16 PM

What is the sk?

0 Kudos
Agust
Contributor
‎2025-05-28 12:30 PM
In response to the_rock

Hi 

The SK are sk132332, sk119301 and sk117713 but none of them apply to our case

0 Kudos
PhoneBoy
Admin
Admin
‎2025-05-28 01:29 PM

I assume these "moving devices" are Dynamic IP.
Are the necessary interoperable objects defined as such?

One issue with DAIP VPN endpoints is that we don't know what IP address they're coming from.
In the case of a Check Point-managed gateway, most likely there is a persistent connection with management that we can use to determine the remote IP to use.
In the case of interoperable objects, we don't have such a mechanism and can only use traffic initiated from the remote VPN to learn about the IP in use.

I assume the errors occur when the IP association "times out" due to inactivity.
The fix for this is likely to have something periodically generate traffic through the VPN tunnel to keep it (and the IP association) active.
We have a mechanism called network probe to do this periodically starting in R82.
If on an earlier release, some other host will need to periodically generate traffic.

0 Kudos
Agust
Contributor
‎2025-06-04 09:04 AM
In response to PhoneBoy

Hello PhoneBoy
Thank you very much for your response. We're using DAIP in this case to use certificates.
I asked you, would DPD also be a viable option, or would the survey you mentioned earlier only work for us in this case?
Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-04 01:11 PM
In response to Agust

DPD will definitely help here.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-04 01:54 PM
In response to Agust

Implementing DPD definitely won't hurt here.

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2025-05-29 08:20 AM

Curious... what do you mean by "after a while"?  What time interval (be as precise as you can) is this?

I'll hazard a guess, however: if it's 1 hour, then this is an IPsec phase 2 re-key issue.  Make sure you have the VPN control connections enabled in your Global Properties, or be certain to have IPsec NAT-Traversal (UDP 4500) allowed in your ruleset.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events