This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sylvain
Participant
‎2021-03-02 01:37 AM

[VPN] [AWS] Issue when rekeying the phase 1

Checkpoint version : R80.40.

Peer gateway : AWS

 

Hello all,

We have an issue with a tunnel VPN. The tunnel goes UP with no problem, the streams are encrypted and sent inside the tunnel. Until here, no problem.

 

But once the phase 1 expires, and it tries to rekey, the streams don't pass anymore in the tunnel, even if the tunnel is UP, and seems to be OK with the rekey (new SA and new SPI, shown with vpn tu).

We are obliged to reset the tunnel before the streams run again.

 

We have noticed that at every phase 1 rekeying, we drop packets from peer gateway because of "Unknown SPI: 0xXXXXXXXX for IPsec packet.".

We have this error message too on ESP packets : "Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found".

 

We've activated the keep_ike_sa, changed the VPN tunnel parameters as recomended by AWS, changed the value of the DPD Timeout action in the peer gateway, but nothing has fixed the issue.

 

Hope to find the solution here.

 

Many thanks.

0 Kudos
2 Replies
Chris_Atkinson
Employee Employee
Employee
‎2021-03-02 04:31 AM

Hi,

Please review sk108600 scenario 4 if not already.

Regards,

Chris

CCSM R77/R80/ELITE
Sylvain
Participant
‎2021-03-02 05:37 AM
In response to Chris_Atkinson

Hi Chris, thank you for your fast answer.

 

After checking the value of ike_keep_child_sa_interop_devices, it is set to false.

Acording to the SK, changing the value to true may resolve the issue, but before applying the change, I want to know w hat impacts it can have on other stable vpn connections ? Is there a risk to do it ?

 

Many thanks.

Kind regards.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events