Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sylvain
Participant

[VPN] [AWS] Issue when rekeying the phase 1

Checkpoint version : R80.40.

Peer gateway : AWS

 

Hello all,

We have an issue with a tunnel VPN. The tunnel goes UP with no problem, the streams are encrypted and sent inside the tunnel. Until here, no problem.

 

But once the phase 1 expires, and it tries to rekey, the streams don't pass anymore in the tunnel, even if the tunnel is UP, and seems to be OK with the rekey (new SA and new SPI, shown with vpn tu).

We are obliged to reset the tunnel before the streams run again.

 

We have noticed that at every phase 1 rekeying, we drop packets from peer gateway because of "Unknown SPI: 0xXXXXXXXX for IPsec packet.".

We have this error message too on ESP packets : "Packet is dropped because an IPsec SA associated with the SPI on the received IPsec packet could not be found".

 

We've activated the keep_ike_sa, changed the VPN tunnel parameters as recomended by AWS, changed the value of the DPD Timeout action in the peer gateway, but nothing has fixed the issue.

 

Hope to find the solution here.

 

Many thanks.

0 Kudos
2 Replies
This widget could not be displayed.