Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
net-harry
Collaborator

VPN between Check Point and Palo Alto - Configure passive mode

Hi,

We have an issue with a VPN tunnel to a Palo Alto firewall. The IPSec renegotiaion is sometimes initated by both peers at the same time, causing the tunnel to be down for one hour until the next renegotition.

In order to solve this we would like to set one peer in passive mode, so the other side always initiate the renegotiaion. Is this possibe to do on the Check Point VPN gateway?

We are running R77.30 on this gateway cluster.

Thanks for your help!

Harry

0 Kudos
7 Replies
G_W_Albrecht
Legend
Legend

R77.30 is out of support since September...

CCSE CCTE CCSM SMB Specialist
0 Kudos
net-harry
Collaborator

I am aware that it is out-of-support and we plan to upgrade the gateways to R80.20 soon. I would still like to know if it is possible to configure the security gateway as passive (either in R77.30 or R80.20).
Thanks for your help!
0 Kudos
_Val_
Admin
Admin

@net-harry Check Point VPN GW will try to open a tunnel whenever some traffic is being sent to the remote VPN domain.

 

Also, it is unclear to me why simultaneous negotiations should fail if both VPN peers are trying to do IKE. One of the IKE SAs should be complete and work anyway.  I would recommend looking into some mis-config on PAN side. There must be something wrong there, this is not a normal IPsec behaviour.

0 Kudos
net-harry
Collaborator

Thanks for the information! I agree that it looks like a bug on the Palo Alto side and their engineers are troubleshooting this. On Palo Alto they are able to configure passive, so I just wanted to check if this was possible on the Check Point side to. I noticed that a similar question was posted in the following thread:

https://community.checkpoint.com/t5/Access-Control-Products/Checkpoint-VPN-as-responder-only/m-p/643...

0 Kudos
_Val_
Admin
Admin

If you set PAN for passive, there is still a chance that traffic might be originated from the remote VPN site. To tackle this, set Check Point VPN GW with a permanent tunnel. This way, it will keep tunnel up, actively requesting IKE when there is no SA or the last one expired.

0 Kudos
net-harry
Collaborator

Thanks for the suggestions!

0 Kudos
_Val_
Admin
Admin

@G_W_Albrecht, one can extend R77.30 support with additional premium on top of the support contract, if required. Also, there are other special cases where R77.30 support might be pro-longed. 

0 Kudos