Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dlusk
Participant

VPN with Two GWs Managed by One SMS - One GW is in AWS

Jump to solution

I'm in the process of trying to setup an IPSec VPN between two Security Gateways that are managed by a single Security Management Server. The catch is that one of the Security Gateways is in AWS. The current error I am getting is the following:

Auth exchange: Received notification from peer: Authentication failed MyAuthMethod: Certificates

 
 

VPN_Error_2022-02-04.png

The interesting part is, I have it setup to only use PSKs in the community. I have also went into the Security Gateway Properties --> IPSec VPN --> Traditional mode configuration --> unchecked Public Key Signatures and checked Pre-Shared Secrets. I also specified the PSKs in the "Edit Secrets" menu.

Gateway STLFW01 is R81 with no JHF (I plan to fix this soon)
Gateway ParisFW01 is R80.30 with JHF 236. (This is the AWS Security Gateway)

Since the Paris Security Gateway is in AWS, I have also configured route tables as follows:
- Traffic going to the private networks is to go to the security gateway. This is only associated with the AWS internet gateway.
- Traffic going from the private networks going from the protected network (behind the security gateway) is to be directed to the Security Gateway. This is only associated with the protected network subnet.
- Traffic from the security gateway going to 0.0.0.0/0 is to go to the internet gateway. This is only associated with the network between the security gateway and the AWS internet gateway (we are calling this the public DMZ)

One item that is strange with AWS is that since the Check Point firewall can't have a leg on the internet, I have to choose the link address for the IPSec VPN to manually be the actual public IP. If I choose the private IP and expect the AWS Internet Gateway to NAT it, the traffic from STLFW01 will timeout completely.

0 Kudos
1 Solution

Accepted Solutions
dlusk
Participant

I figured out this issue, but I am now at another issue, which I may put out a new post about. This was my first time having an SMS manage a gateway that is not on the same local network. I had to go to the SMS properties, go to the NAT tab, check the box to "Apply for Security Gateway control connections," and select the "Install on Gateway" relevant security gateway.VPN_Error_Fix_2022-02-07.png

My new issue that will not be the topic of this post is that the VPN gateways are complaining about "Quick Mode Sent Notification: invalid key information."

View solution in original post

0 Kudos
1 Reply
dlusk
Participant

I figured out this issue, but I am now at another issue, which I may put out a new post about. This was my first time having an SMS manage a gateway that is not on the same local network. I had to go to the SMS properties, go to the NAT tab, check the box to "Apply for Security Gateway control connections," and select the "Install on Gateway" relevant security gateway.VPN_Error_Fix_2022-02-07.png

My new issue that will not be the topic of this post is that the VPN gateways are complaining about "Quick Mode Sent Notification: invalid key information."

0 Kudos