This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
checkpopipu
Participant
‎2024-02-21 09:27 AM

S2S VPN

Hey there!

TL;DR: IPSEC VPN problem - My Checkpoint device cant communicate with the Interoperable device (that is actually the AWS side of the tunnel) at all! the error is "IKE failure: Initial exchange: Exchange failed: timeout reached"

 

The problem:

I'm trying to connect my On-Premise and my AWS environment with a S2S VPN.

I have configured everything on AWS and then got a configuration tutorial document for my checkpoint.

I did everything, and got to the part when I have to test my connection, but it is not working. 

 

What I have already tried:

In the logs I can see once in a minute a record with action "REJECT" and description "IKE failure: Initial exchange: Exchange failed: timeout reached". After that, there is another record with action "Encrypt", but then it stops. (Images of this are included at the end)

I tried to sniff all interfaces and understood that there is not even one packet that is sent to the Public IP that is defined in the interoperable device. 

Also tried to ping this address and saw that I cannot talk to it. 

I tried to change the IP address of the interoperable device and it was preventing me to send anything to the new IP.

I have a rule that allows my firewall to communicate with that address in any type of communication so that's not the problem.

 

Thanks a Lot!!!!

log1.jpg
Preview file
672 KB
log2.jpg
Preview file
422 KB
0 Kudos
6 Replies
CheckPointerXL
Advisor
Advisor
‎2024-02-22 02:47 PM

I think you need to perform a vpn debug to get more info 

 

 

0 Kudos
the_rock
Legend
Legend
‎2024-02-22 05:37 PM

I would do simple vpn debug as well.

vpn debug trunc

vpn debug ikeon

-generate some traffic, wait 2-3 mins

vpn debug ikeoff

Get ike and vpnd files from $FWDIR/log dir

Best,

Andy

0 Kudos
SdanteMate
Contributor
‎2024-10-21 07:17 AM
In response to the_rock

@checkpopipu  Did you find the solution on this?

0 Kudos
796570686578
Collaborator
‎2024-11-26 12:01 AM
In response to SdanteMate

@SdanteMate  Have you been able to resolve the issue? Currently running into the same error. We have other tunnels to AWS that work just fine but can't get this one to work

0 Kudos
796570686578
Collaborator
‎2024-11-26 01:39 AM
In response to 796570686578

In case anyone runs into the same issue and finds this post. The solution for us was to change the "Startup Action" Setting in AWS from Add to Start.

 

Startup action

The action to take when establishing the tunnel for a VPN connection. You can specify the following:

  • Start: AWS initiates the IKE negotiation to bring the tunnel up. Only supported if your customer gateway is configured with an IP address.

  • Add: Your customer gateway device must initiate the IKE negotiation to bring the tunnel up.

 

the_rock
Legend
Legend
‎2024-11-26 03:47 AM
In response to 796570686578

Thats really good to know, tx for sharing!

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top