Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dor_Marcovitch
Advisor

Testing VPN phase1 and phase2

hey,

i think a feature request for testing those configuration can have a good value for troubleshooting.

based on the security policy for example we might need to have someone on the other side to generate traffic, something we dont have 100%.

some test command can be useful to make the GW try to establish the vpn tunnel just for those parameter 

0 Kudos
4 Replies
JozkoMrkvicka
Mentor
Mentor

Simple ping from one GW to the other one will cause that VPN will try to be established with relevant VPN configuration in place on both ends.

Kind regards,
Jozko Mrkvicka
0 Kudos
Dor_Marcovitch
Advisor

this should work only if the GW is in the encryption domain

0 Kudos
JozkoMrkvicka
Mentor
Mentor

Not really, the peer IP of GW (cluster IP) to be used for VPN itself is considered as valid part of VPN.

In case of VPN performance and best practises, see:

Best Practices - VPN Performance

Relative speeds of algorithms for IPsec and SSL

ATRG: VPN Core

Kind regards,
Jozko Mrkvicka
0 Kudos
Timothy_Hall
Legend Legend
Legend

There doesn't seem to be a way to simulate a VPN peer initiating a IKE negotiation to your Check Point firewall, at least that I can see.  Once the tunnel is up (no matter who initiated it) it is a two-way street, but in an interoperable scenario sometimes there will be a IKEv1 Phase 2 subnet/Proxy-ID negotation failure if one side initiates the tunnel, but the other side can initiate it just fine.  Not much you can really do about this except have the VPN peer try to initiate to you and see what happens.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events