This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
GG27
Contributor
‎2019-08-02 12:12 AM

VPN and DPD configuration

Hello

in according to the R80.10 VPN documentation, for enabling DPD as method for the permanent tunnel, I need to change the parameter tunnel_keepalive_method property for each gateway in the community.

With the statement "for each gateway in the community" means you have to perform the change at the remote peer object and at the CKP gateway object as well.

The same CKP gw object is used in other VPN community with permanent tunnel on but based on tunnel_test protocol because s2s with other CKP gateway.

I'm worried about the impact it could introduce.

My question is

   what happens if I will configure the parameter to DPD on ckpgw used in different community?

I'd like to know what is the permanent tunnel protocol used in the following scenario

ckpgw1 tunnel_keepalive_method: dpd

ckpgw2 tunnel_keepalive_method: tunnel_test

3rdgw1: dpd

VPN community1

   center gateway: ckpgw1

   satellite gateway: ckpgw2

   permanent tunnel: on all tunnels in the community

keepalive is based on .... (dpd/tunnel_test/not working)

VPN community2

   center gateway: ckpgw1

   satellite gateway: 3rdgw1

   permanent tunnel: on all tunnels in the community

keepalive is based on .... (dpd/tunnel_test/not working)

 

thank you in advanced

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2019-08-04 11:03 AM

My understanding is you only configure DPD on the gateway objects where DPD is actually required.
You do not need to configure your local object to use DPD.
See related discussion here: https://community.checkpoint.com/t5/General-Topics/Enable-DPD-on-R80-20/m-p/32605
0 Kudos
GG27
Contributor
‎2019-08-06 08:41 AM
In response to PhoneBoy

Thanks PhoneBoy

Just for starting, the discussion in the post https://community.checkpoint.com/t5/General-Topics/Enable-DPD-on-R80-20/m-p/32605 sounds related to DPD passive mode.

In my configuration I need Permanent Tunnel based on DPD mode and, in according to the guide sk108600 scenario 5, I have to switch to DPD event on my local gateway

Moreover I tried to investigate the configuration when DPD is enabled on remote peer object and not in local object and when it configured on both object.

in the first testing scenario the packtet was tunnel_test; while the 2nd scenario the packet is DPD.

 

0 Kudos