Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
NamND
Participant
Jump to solution

VPN Site to Site gateway

Hi Everyone.

I am configuring Vpn Site to Site I have enabled IPSEC VPN but on the gateway device it is not receiving the VPN configuration. I checked with cli commands: vpn tu but the result is "No data to display
"
Steps I took:
1. enable IPSEC VPN
2. interoperable devices
3. VPN Communities
4. IPSEC VPN
5. Install Policy.

Thanks

0 Kudos
1 Solution

Accepted Solutions
NamND
Participant

Hi The_Rock.

I have solved the problem exactly as you said and I have completed the Site to Site VPN configuration.

Right now VPN tunnel is up.

Thank you very much.

View solution in original post

(1)
8 Replies
NamND
Participant

Hi Everyone!

I am configuring site to site vpn on checkpoint gateway cluster. But when I install the policy, the vpn configuration is not received on the gateway
Steps I took
1. enable IPSEC VPN in cluster
2. configuration Interoperable devices
3. configuration VPN Communities
4. configure VPN Domain
5. install policy

I executed the vpn tu command on the cli but the result was No data to display.

Thanks.

 

0 Kudos
the_rock
Legend
Legend

Thats only the first step, since vpn blade has to be enabled. But, lets take a step back, of few lol

Can you please let us know the following:

1) is it CP to CP tunnel of 3rd party?

2) permanent tunnel or regular?

3) what is configured for vpn domains?

4) any NAT going?

5) ikev1 or v2?

Also, did you do any tcpdumps or debugs

Example (say peer is 1.2.3.4 IP)

from CP -> tcpdump -enni any host 1.2.3.4 and proto 50

debug:

vpn debug trunc

vpn debug ikeon

-try generate some traffic

vpn debug ikeoff

Look for ike and vpnd files

IMPORTANT NOTE -> to save yourself time, please run below to check what iked process is handling the vpn, otherwise you might be looking at totally wrong files

example in my lab:

[Expert@azurefw:0]# vpn iked calc 1.2.3.4

vpn: Address 1.2.3.4 is handled by IKED 0

[Expert@azurefw:0]#

 

If you need any help, let me know.

 

Best.

Andy

0 Kudos
NamND
Participant

Hi The_Rock.

1) is it CP to CP tunnel of 3rd party? -> 3rd party Cisco

2) permanent tunnel or regular? -> regular

3) what is configured for vpn domains? -> All IP Address behind Cluster Member based on Topology

4) any NAT going? No Nat

5) ikev1 or v2? ikev1

Also, did you do any tcpdumps or debugs -> I have debug VPN traffic but it doesn't exist

Example (say peer is 1.2.3.4 IP)

[Expert@gw01:0]# vpn iked calc 192.168.45.2
vpn: valid 'iked' commands are: 'status', 'enable', 'disable'

I checked the VPN configuration on the gateway but it seems it has not been installed from SMC

Thanks.

0 Kudos
the_rock
Legend
Legend

Now that I came back from my exercise (I feel like Im the only "genius" running on -5 C degree haha), I feel energized, so lets see if we can get this fixed. Just working on some labs, so if you allow remote, message me offline, lets connect and we can do remote.

Best,

Andy

Btw, first thing I would say thats wrong is your enc domain, you should always set specific subnet/group, not topology option.

0 Kudos
the_rock
Legend
Legend

Nguyen and I just had remote session and I could not even see phase 1 come up, so asked him to verify enc methods for phase 1, as well as PSK and update the thread. Alternatively, please run the debug I mentioned in one of previous responses.

Best,

Andy

0 Kudos
NamND
Participant

Hi The_Rock.

I have solved the problem exactly as you said and I have completed the Site to Site VPN configuration.

Right now VPN tunnel is up.

Thank you very much.

(1)
the_rock
Legend
Legend

Great job!

(1)
the_rock
Legend
Legend

Btw, just to help you even further next time if you have issue with Cisco, below are some good commands on that end you can try:


***************************************************************


more system:running-config | beg tunnel-group x.x.x.x (to find pre shared key for specific tunnel, where x.x.x.x is the 3rd party external IP)

ASA# sh run crypto map | beg x.x.x.x (peer IP)

debug vpn:

debug crypto condition peer x.x.x.x

debug crypto ikev1 200

debug crypto ipsec 200

to cancel all debugs-> undebug all


Here are the commands that you need to apply in order to change an IP address of the IPSec site to site tunnel:

 

no crypto map <map-name> <sequece> set peer x.x.x.x

crypto map <map-name> <sequence> set peer <new peer IP>

 

 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events