This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
Sunday

Something to keep in mind when VPN tunnel is down

Hey guys,

I know these settings in Guidbedit might not always be relevent, specially in newer versions, but I did come across few scenarios lately, in R81.20 as a matter of fact, where we had to go to guidbedit and set below values to false to get VPN tunnel to work:

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

 

I sometimes also check this on the gateway, though this was only problem few times, so probably not a requirement, but also something to consider:

 

gateway object -> other -> connection persistence -> I always check keep all connections

 

Andy

8 Replies
kamilazat
Advisor
Sunday

Yes! And this can become a daunting issue when trying to set up a tunnel with 3rd party peers. And if you're unlucky enough, even some TAC engineers forget to think about it and a simple solution as this turns into a repeated debugging and messaging back and forth. 

Or if you pay attention during your studies for CCTE, hopefully it won't become that big of an issue 🙂

(1)
the_rock
Legend
Legend
yesterday
In response to kamilazat

Well, its good those sort of things dont happen too often these days, but just something to keep in mind, as I mentioned. Thats why we share ideas on here, to help others out 🙂

Andy

0 Kudos
CaseyB
Advisor
yesterday

Do you think these still come into play when using granular encryption domains?

the_rock
Legend
Legend
yesterday
In response to CaseyB

Hey @CaseyB 

I can only speak from my own experience and here it is 🙂

Ever since R80 came out, I had never seen this issue with Azure, AWS or Fortinet, ONLY with Palo Alto and Cisco. Cant say if thats case with others, but thats what I had observed.

Andy

the_rock
Legend
Legend
yesterday
In response to CaseyB

One thing I also found from time to time, depending on 3rd party vendor, is that say even if ONLY subnets are involved, you still may need to select "per gateway" in tunnel management tab of the VPN community.

Andy

0 Kudos
G_W_Albrecht
Legend Legend
Legend
22 hours ago

Sources:

sk108600: VPN Site-to-Site with 3rd party

sk101219: VPN features in R80.x and R81.x versions

sk144094: VPN tunnels with 3rd party peers fail because of mismatched IDs

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
Legend
Legend
17 hours ago
In response to G_W_Albrecht

All great references @G_W_Albrecht 

0 Kudos
the_rock
Legend
Legend
17 hours ago
In response to G_W_Albrecht

Btw, that last sk, never seen it before, but ran the command in R82 and it worked.

Thank you!

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events