This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dlusk
Participant
‎2022-02-04 02:02 PM
Jump to solution

VPN with Two GWs Managed by One SMS - One GW is in AWS

I'm in the process of trying to setup an IPSec VPN between two Security Gateways that are managed by a single Security Management Server. The catch is that one of the Security Gateways is in AWS. The current error I am getting is the following:

Auth exchange: Received notification from peer: Authentication failed MyAuthMethod: Certificates

 
 

VPN_Error_2022-02-04.png

The interesting part is, I have it setup to only use PSKs in the community. I have also went into the Security Gateway Properties --> IPSec VPN --> Traditional mode configuration --> unchecked Public Key Signatures and checked Pre-Shared Secrets. I also specified the PSKs in the "Edit Secrets" menu.

Gateway STLFW01 is R81 with no JHF (I plan to fix this soon)
Gateway ParisFW01 is R80.30 with JHF 236. (This is the AWS Security Gateway)

Since the Paris Security Gateway is in AWS, I have also configured route tables as follows:
- Traffic going to the private networks is to go to the security gateway. This is only associated with the AWS internet gateway.
- Traffic going from the private networks going from the protected network (behind the security gateway) is to be directed to the Security Gateway. This is only associated with the protected network subnet.
- Traffic from the security gateway going to 0.0.0.0/0 is to go to the internet gateway. This is only associated with the network between the security gateway and the AWS internet gateway (we are calling this the public DMZ)

One item that is strange with AWS is that since the Check Point firewall can't have a leg on the internet, I have to choose the link address for the IPSec VPN to manually be the actual public IP. If I choose the private IP and expect the AWS Internet Gateway to NAT it, the traffic from STLFW01 will timeout completely.

0 Kudos
1 Solution

Accepted Solutions
dlusk
Participant
‎2022-02-07 08:06 AM
Jump to solution

I figured out this issue, but I am now at another issue, which I may put out a new post about. This was my first time having an SMS manage a gateway that is not on the same local network. I had to go to the SMS properties, go to the NAT tab, check the box to "Apply for Security Gateway control connections," and select the "Install on Gateway" relevant security gateway.VPN_Error_Fix_2022-02-07.png

My new issue that will not be the topic of this post is that the VPN gateways are complaining about "Quick Mode Sent Notification: invalid key information."

View solution in original post

0 Kudos
1 Reply
dlusk
Participant
‎2022-02-07 08:06 AM
Jump to solution

I figured out this issue, but I am now at another issue, which I may put out a new post about. This was my first time having an SMS manage a gateway that is not on the same local network. I had to go to the SMS properties, go to the NAT tab, check the box to "Apply for Security Gateway control connections," and select the "Install on Gateway" relevant security gateway.VPN_Error_Fix_2022-02-07.png

My new issue that will not be the topic of this post is that the VPN gateways are complaining about "Quick Mode Sent Notification: invalid key information."

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events