This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ricki_Juntak
Participant
‎2022-04-10 10:41 PM
Jump to solution

vpn tu tlist

Hi Checkmates,

 

Can you help me how to configure the tunnel expiration on the capture have 1 hour and what the purpose off the tunnel created and tunnel expiration?

 

 

[Expert@Internal-GW:0]# vpn tu tlist
+-----------------------------------------+-----------------------+---------------------+
| Peer: 172.16.10.1 (cd6b8f0973d32146) | MSA: ffffc9001f624410 | i: 0 ref: -- 45/60 |
| Client public IP: 203.0.113.200 | | i: 1 ref: 4 |
| Authenticated at: Apr 11 01:36:22 | | i: 2 ref: -- 46/60 |
| Methods: ESP Tunnel 3DES SHA1 | | |
| My TS: 0.0.0.0/0 | | |
| Peer TS: 172.16.10.1 | | |
| User: test | | |
| MSPI: 800005 (i: 1, p: 0) | Out SPI: 6980210e | |
| Tunnel created: Apr 11 01:36:22 | NAT-T | |
| Tunnel expiration: Apr 11 02:36:22 | | |
+-----------------------------------------+-----------------------+---------------------+

(0) Site-to-Site tunnels are up:
IPSEC 0
NAT-T 0

(1) Number of Active Clients:
NAT-T 1
Visitor Mode 0
SSL 0

0 Kudos
1 Solution

Accepted Solutions
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-04-14 01:48 AM
In response to Ricki_Juntak
Jump to solution

As this is standard, it is the same for all vendors: https://en.wikipedia.org/wiki/Internet_Key_Exchange

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

0 Kudos
(1)
8 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-04-11 01:54 AM
Jump to solution

sk104760: ATRG: VPN Core

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Ricki_Juntak
Participant
‎2022-04-11 03:06 AM
In response to G_W_Albrecht
Jump to solution

Thanks Albrecht,

 

I have read the SK and confused to read the SK because I cant find mention about tunnel_expiration and tunnel created

I have try on the lab-> using checkmate lab,

I try to find the configuration for tunnel created and tunnel expiration and I try to change the vpn_table.def on SMS(r81.10)

#define ISAKMP_TABLE_TIMEOUT 3600 --> change to 300
#define SPI_TABLE_TIMEOUT 3600 --> change to 300
#define IKE_SA_TABLE_TIMEOUT 3600 -> cahnge to 300

after change, push policy.

but the result is same duration for tunnel still 1 hour.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-04-11 11:30 PM
In response to Ricki_Juntak
Jump to solution

IKE_SA_table
  • Contains information about all ISAKMP SAs.
  • Entries from this table are used to conduct IKE Quick Mode negotiation of IPsec SA.
  • Entries are extracted from this table when the vpnd daemon is trapped for IPsec SA renewal.
  • Default expiration time is 3600 seconds.= 1 hour !
  • Synchronized in cluster.
  • Table entry is:
    either
    <Peer_IP ,0 , CookieI, CookieR; IKE_SA, IKE_SA_flag, RenegotiationTime; Timeout>
    or
    <Peer_IP, 0; IKE_SA, CookieI, CookieR, IKE_SA_flag, RenegotiationTime; Timeout>
    where:
    • Peer_IP - IP address of IKE peer
    • CookieI - initiator cookie (8 bytes in host byte order)
    • CookieR - responder cookie (8 bytes in host byte order)
    • IKE_SA - ISAKMP SA data in Check Point code
    • IKE_SA_flag - one of these values: 0x01=mobile, 0x02=initiator, 0x03=DAIP
    • RenegotiationTime - The renegotiation time of the SA
    • Timeout - How much time remained to expiration time
CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Ricki_Juntak
Participant
‎2022-04-12 12:01 AM
In response to G_W_Albrecht
Jump to solution

Thanks Albrecht,

 

I'm using remote access community, its possible to set the duration tunnel created and tunnel created?

if renegotiation expired what happen with the connection is re-establish?

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-04-12 01:26 AM
In response to Ricki_Juntak
Jump to solution

Every hour, renegotiation of IPsec SA happens.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Ricki_Juntak
Participant
‎2022-04-13 08:19 PM
In response to G_W_Albrecht
Jump to solution

Thanks ALbrecht,

in the process renegotiation IPsec SA status connection is always establish right? not interrupt the traffic?

can you share the document about renegotiation IPsec SA on CheckPoint.

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-04-14 01:48 AM
In response to Ricki_Juntak
Jump to solution

As this is standard, it is the same for all vendors: https://en.wikipedia.org/wiki/Internet_Key_Exchange

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
(1)
Ricki_Juntak
Participant
‎2022-04-25 06:04 AM
In response to G_W_Albrecht
Jump to solution

Thanks Albrecht

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events