Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Pedro_Silva
Contributor

R80.20 IPSec VPN with 3rd party dynamic ip

I have a current support ticket that is proving tricky to resolve. Hope someone in the community might have seen similar issues or be able to suggest something we might not have thought of.

We have a 5200 that was running R77.30. It has a VPN community to 7 other remote gateways.

All the remote gateways are from the same 3rd party, they have dynamic ips. This has been a stable configuration for 16 months.

We recently upgraded our gateway to R80.20. This immediately caused an issue with VPN stability.

VPN still establishes ok, but drops every time Phase 2 rekey occurs after a number of hours. This happens like clockwork.

If I set Phase 2 to 1 hour, it will drop pretty much bang on 50 minutes. If I increase the time the drop follows  the change.

If I reset the tunnel in Smartview Monitor it reestablishes immediately. The remote gateway continuously tries to establish the tunnel but the Checkpoint does not respond until I press reset.

We have provided a number of debugs and have tried multiple solutions without success.

Thanks

Pedro

0 Kudos
3 Replies
Maarten_Sjouw
Champion
Champion

To my knowledge this is only supported when you use certificates for the authentication, did you try to re-issue the certificates?

There have been a couple of issues with VPN and certificates that I read about here. 

Regards, Maarten
0 Kudos
Pedro_Silva
Contributor

Yes we are using certificates. I re-issued the cert to the gateway and the behaviour is the same.

I would expect if the certificate was the issue the tunnel would not come up at all. Our scenario is that it stays up until the end of the Phase 2 timer and then drops and fails to rekey.

0 Kudos
Maarten_Sjouw
Champion
Champion

Are the gateways at the other end Check Point or other devices? is there a setting regarding renegotiate on x KBytes sent? Also from which side is the traffic initiated?

Keep in mind that the renegotiation should be initiated by the other side, as you don't know their dynamic IP. That is what you learn when they initiate the communication.

We have a couple of these boxes as well, but they are managed by the same management server. It always has to wait for the other side to connect, this is one of the reasons why we always enable permanent tunnels on these communities.

One of these units is located in United Arab Emirates, it is very expensive to get a fixed IP there, (easily 10 times the price of a dynamic), they change IP about 10 times a day and we have no problems with this location at all.

Regards, Maarten
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events