This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Anu_Cherian
Contributor
‎2018-08-03 01:32 AM

Site to Site VPN between Checkpoint and Palo Alto Firewalls

Hi All,

We have a requirement to setup Site-to-Site vpn between our Checkpoint FW and customer Palo Alto FW. I have created one, but the issue is IKE phase 2 fails. I have confirmed the negotiation parameters with my customer engineer and it looks like everything is in order. What could be the possible issue?

I used VPN tu and SmartView  monitor to view but to no success. Any advices will be highly appreciated

Thank you so much

40 Replies
Anu_Cherian
Contributor
‎2018-08-14 04:01 AM
In response to _Val_

We are not using 10.10.10.10 internally nor it is used externally. Our extenal IP ,for example : 192.168.1.2.

The 10.10.10.10/32 is the IP configured at customer site and they need us to use that IP, as it is set as an encryption domain( at Palo Alto side they have configured the remote IP in Proxy ID side as 10.10.10.10/32). So during IKE phase 2 the subnet will fail if I use my subnet ie, 172.31.1.0/24.

The error is ,

": IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: 11.0.0.0/8 type IPv4_subnet protocol 0 port 0, received remote id: 192.168.1.2/32 type IPv4_address protocol 0 port 0. "

Let us say for the Primary GW(customer side) : the remote IP is 10.10.10.10/32 and for the secondary GW(cust side) : the remote IP is 10.10.11.10/32

May be they choose these IPs to segregrate the network as for both the Gateways, the domain is 11.0.0.0/8

What will be the best way to accomodate the requirement. 

0 Kudos
_Val_
Admin
Admin
‎2018-08-14 04:25 AM
In response to Anu_Cherian

Pardon me, still not clear enough. Proxy ID is the IP address of the remote GW. PAN has to use your main IP address for the tunnel to work. Now, that 10.10.10.10, does it belong to one of your GW interfaces?

0 Kudos
Anu_Cherian
Contributor
‎2018-08-14 04:33 AM
In response to _Val_

No. I have no interface with that IP. Customer have their Palo Alto like that.

as per their proxy ID settings,

Proxy ID             Local             Remote               Protocol

PID.10               11.0.0.0/8      10.10.10.10/32      any

0 Kudos
_Val_
Admin
Admin
‎2018-08-14 04:43 AM
In response to Anu_Cherian

Ask them to change remote proxy ID IP to your address. There no way you can build a VPN with a dummy IP

0 Kudos
Anu_Cherian
Contributor
‎2018-08-14 04:38 AM
In response to _Val_

They have Cisco and Fortinet firewall setup with this configuration but they don't have any Checkpoint where we can refer the setup. 

0 Kudos
_Val_
Admin
Admin
‎2018-08-14 04:45 AM
In response to Anu_Cherian

Check out this video: VPN PSK - Check Point & Palo Alto Networks - YouTube 

Anu_Cherian
Contributor
‎2018-08-14 09:34 AM
In response to _Val_

Finally the issue got resolved. We added the encryption domain to Checkpoint Gateway and NATed the Public IP(or NAT IP) customer provided. 

(For information purpose):  we used a Mesh community for the configuration.

Thank you so much guys ! Really appreciate your help and support.

_Val_
Admin
Admin
‎2018-08-14 11:24 PM
In response to Anu_Cherian

No problem, I am glad the issue is resolved

0 Kudos
Gaurav_Pandya
Advisor
‎2019-05-16 08:19 AM
In response to _Val_

Hi Tim/Valeri,

 

I have same problem. Establishing tunnel between Checkpoint FW & Palo Alto (It is in Azure). Tunnel is UP at both end but traffic is not passing. We Can see traffic is encrypting in tunnel but not reaching at peer end. I have done all scenarios which are suggested in this thread.

Checkpoint side : Domain Based VPN 

Palo Alto side : Route Based VPN

 

In checkpoint side, Toggled between subnet pair & gateway pair in tunnel management. 

In Palo Alto side, Given specific proxy IDs

But still traffic is not passing even though tunnel is UP. 

0 Kudos
Timothy_Hall
Champion
Champion
‎2019-05-16 09:32 AM
In response to Gaurav_Pandya

Please provide the Key Exchange logs indicating that IKE Phase 1 has completed (Main Mode) and the log indicating that IKE Phase 2 has completed (Quick Mode).  My guess is you won't find the latter one as only the Phase 1 tunnel is up, which is why traffic is not passing.

 

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Mike_Jensen
Collaborator
‎2020-01-22 12:29 PM
In response to _Val_

I am attempting a site to site VPN with a Palo Alto and Check Point R80.10 in a lab before trying in production and I am still stuck on trying to get phase 2 to negotiate.

On the Check Point I am using a start VPN topology, "One VPN tunnel per subnet pair", and the encryption domain contains the one and only network behind the Check Point - 10.10.10.0 / 24.

On the Palo Alto side I have a static route configured to 10.10.10.0/24 with the router interface being the VPN tunnel.  I have tried with a proxy id of local 10.30.30.0 /24 (behind palo alto) remote 10.10.10.0 /24, and without any proxy ID.  I tried to configure a proxy id of 0.0.0.0/0 0.0.0.0/0 with a protocol of 0 (Palo Alto won't accept this config) as well as "any".  

On the Check Point side I get "IKE failure" , "Encryption Failure: no response from peer.", and on the Palo Alto 

2020-01-22 15:18:17.480 -0500 [PNTF]: { 2: }: ====> PHASE-2 NEGOTIATION STARTED AS RESPONDER, (QUICK MODE) <====
====> Initiated SA: 172.16.1.30[500]-172.16.1.10[500] message id:0xBEC56C26 <====
2020-01-22 15:18:17.480 -0500 [ERR ]: { 2: }: can't find matching selector
2020-01-22 15:18:17.480 -0500 [PERR]: { 2: }: failed to get sainfo.
2020-01-22 15:18:17.480 -0500 [ERR ]: failed to pre-process packet.

 

Any ideas?

0 Kudos