- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- [VPN] [AWS] Issue when rekeying the phase 1
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[VPN] [AWS] Issue when rekeying the phase 1
Checkpoint version : R80.40.
Peer gateway : AWS
Hello all,
We have an issue with a tunnel VPN. The tunnel goes UP with no problem, the streams are encrypted and sent inside the tunnel. Until here, no problem.
But once the phase 1 expires, and it tries to rekey, the streams don't pass anymore in the tunnel, even if the tunnel is UP, and seems to be OK with the rekey (new SA and new SPI, shown with vpn tu).
We are obliged to reset the tunnel before the streams run again.
We have noticed that at every phase 1 rekeying, we drop packets from peer gateway because of "Unknown SPI: 0xXXXXXXXX for IPsec packet.".
We have this error message too on ESP packets : "Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found".
We've activated the keep_ike_sa, changed the VPN tunnel parameters as recomended by AWS, changed the value of the DPD Timeout action in the peer gateway, but nothing has fixed the issue.
Hope to find the solution here.
Many thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Please review sk108600 scenario 4 if not already.
Regards,
Chris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Chris, thank you for your fast answer.
After checking the value of ike_keep_child_sa_interop_devices, it is set to false.
Acording to the SK, changing the value to true may resolve the issue, but before applying the change, I want to know w hat impacts it can have on other stable vpn connections ? Is there a risk to do it ?
Many thanks.
Kind regards.
