This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ReinhardS
Explorer
‎2023-04-20 01:47 AM
Jump to solution

VPN behavior question: Break-before-make / Make-before-break

Hi,

a customer asks how check point handles this behavior that you can configure with cisco or strongwan:

 

Break-before-make

This is the default behavior of the IKE daemon when reauthenticating an IKEv2 SA. It means that all IKE_SAs and CHILD SAs are torn down before recreating them. This will cause some interruptions during which no IPsec SAs are installed. If trap policies are used it could also trigger unnecessary acquires and hence duplicate IPsec SAs during that downtime. To prevent plaintext traffic from leaving the host appropriate firewall rules or drop policies may be used.

Make-before-break

This method first creates duplicates of the IKE SAs and all CHILD SAs overlapping with the existing ones and then deletes the old ones. This avoids interruptions but requires that both peers can handle overlapping SAs (e.g. in regards to virtual IPs, duplicate policies or updown scripts). It is supported for IKEv2 since version 5.3.0 but is disabled by default and may be enabled by explicitly setting


Any information available on that?

thanks

reinhard

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-04-21 01:07 PM
Jump to solution

This SK suggests we are using Break Before Make: https://support.checkpoint.com/results/sk/sk171756 

View solution in original post

(1)
2 Replies
PhoneBoy
Admin
Admin
‎2023-04-21 01:07 PM
Jump to solution

This SK suggests we are using Break Before Make: https://support.checkpoint.com/results/sk/sk171756 

(1)
the_rock
Legend
Legend
‎2023-04-21 01:28 PM
Jump to solution

Thats superb question...I had guy dealing with Cisco ask that once when we were with escalation guy from CP trying to fix CP-Cisco VPN and what @PhoneBoy said was indeed the right assesment. Esc. guy gave that exact same sk.

Have an awesome weekend! 

SkodagramKaroqGIF.gif

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events