This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ana_11
Participant
‎2020-04-23 08:50 AM

site to site vpn tunnel

Hello Team,

I have a query. today my one of the working site to site vpn tunnel went down. while troubleshooting i found that phase 1 was down  and it was getting failed on main mode packet 5. So i have reset the pre-shared key. And the tunnel came up. So my query is without making any changes what could be the possible reason of this changes. 

there were no changes made on the gateway

OS version. R80.20

jumbo hotfix take_118

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2020-04-25 07:13 PM

I assume after you reset the pre-shared secret you pushed policy.
That means either the pre-shares secret was wrong OR there is some other issue that was solved by doing a policy push.
0 Kudos
Ana_11
Participant
‎2020-04-25 09:24 PM
In response to PhoneBoy

Yes it did resolve the issue. but i want to know what could be the possibility of encryption getting failed in main mode packet 5(without making any changes). how to find the RCA, I am not able to find to any checkpoint SK.
tunnel is between checkpoint to checkpoint
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2020-04-26 05:16 AM
In response to Ana_11

IKE Phase 1 packet 5 is where the peers switch over to NAT-T if intervening NAT has been detected between them, did that happen?

If the shared secret was really wrong you should have seen a "payload malformed" message on one side or the other, if you didn't see that then the PSK was not the problem.

By default pushing policy clears all IKE Phase 1 SAs and forces them to renegotiate which is probably what fixed the tunnel.

Check that your IKE Phase 1 and IPSec Phase 2 lifetimes match.

Since you say your peer is another Check Point, if this keeps happening I'd recommend enabling Permanent Tunnels on both ends so that the VPN will recover itself within 60 seconds or so should this situation happen again.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top