Trouble setting up Proxy ID's for a S2S with a Checkpoint peer and continuous rekeys

Bart_Calmeyn — Wed, 25 Sep 2024 06:42:11 GMT

Hello,

I'm quite new to PA and not much firewall experience.

We are having trouble with a S2S VPN with a partner who has a Checkpoint FW. The clients are on our side, the server is on their side.

What I see in our logs are constant rekeys for the IKEV2 tunnel every 2-3 seconds:

ipsec-key-expire
ikev2-send-p2-delete
ipsec-key-delete
ikev2-nego-child-start
ipsec-key-install
ikev2-nego-child-succ

Proxy ID's are set up like this:

If I run this is CLI: show vpn ike-sa detail gateway

I get this output:

Child SA 2035428:
Tunnel 2 TUNNEL_To_Partner:PID2
Type: ESP Resp
State: Mature
Message ID: 000027BD
Parent SN: 3948
SPI: BA19115F : CA352900 <= ESP: E485B975
Algorithm: AES256/SHA256/DH14
TS local: Proto:any, 172.17.110.99-172.17.110.99, Ports:any
TS remote: Proto:any, 172.20.2.160-172.20.2.175, Ports:any
Created: Sep.24 15:36:53, 12 minutes 19 seconds ago
Expires: Sep.24 16:36:53, rekey in 37 minutes 34 seconds (2993 sec)

Child SA 2035924:
Tunnel 3 TUNNEL_To_Partner:PID3
Type: ESP Resp
State: Mature
Message ID: 000028B7
Parent SN: 3948
SPI: F25D7BD6 : D8D84325 <= ESP: 713CB68D
Algorithm: AES256/SHA256/DH14
TS local: Proto:any, 172.17.112.0-172.17.112.255, Ports:any
TS remote: Proto:any, 172.20.2.160-172.20.2.175, Ports:any
Created: Sep.24 15:46:46, 2 minutes 26 seconds ago
Expires: Sep.24 16:46:46, rekey in 48 minutes 19 seconds (3045 sec)

Child SA 2036040:
Tunnel 1 TUNNEL_To_Partner:PID1
Type: ESP Resp
State: Expired
Message ID: 000028F2
Parent SN: 3948
SPI: 845D756C : 33FE5E08
Algorithm: AES256/SHA256/DH14
TS local: Proto:any, 10.150.0.0-10.150.7.255, Ports:any
TS remote: Proto:any, 172.20.2.0-172.20.2.255, Ports:any
Created: Sep.24 15:49:08, 4 seconds ago
Expires: Sep.24 16:49:08, rekey in 49 minutes 57 seconds (3001 sec)

Child SA 2036042:
Tunnel 1 TUNNEL_To_Partner:PID1
Type: ESP Resp
State: Mature
Message ID: 000028F3
Parent SN: 3948
SPI: D04D11A8 : D1CE9B22
Algorithm: AES256/SHA256/DH14
TS local: Proto:any, 10.150.0.0-10.150.7.255, Ports:any
TS remote: Proto:any, 172.20.2.160-172.20.2.175, Ports:any
Created: Sep.24 15:49:10, 2 seconds ago
Expires: Sep.24 16:49:10, rekey in 51 minutes 24 seconds (3086 sec)

Child SA 2036044:
Tunnel 1 TUNNEL_To_Partner:PID1
Type: ESP Resp
State: Mature
Message ID: 000028F4
Parent SN: 3948
SPI: 94F129BA : 272CD454
Algorithm: AES256/SHA256/DH14
TS local: Proto:any, 10.150.0.0-10.150.7.255, Ports:any
TS remote: Proto:any, 172.20.2.0-172.20.2.255, Ports:any
Created: Sep.24 15:49:12, 0 second ago
Expires: Sep.24 16:49:12, rekey in 48 minutes 27 seconds (2907 sec)

So for PID1 I get multiple child SA's with sometimes different TS remote settings.

Is this a problem on the peer checkpoint side? I don't have access to the config there.

Re: Trouble setting up Proxy ID's for a S2S with a Checkpoint peer and continuous rekeys

Raido_Rattameister — Wed, 25 Sep 2024 12:53:28 GMT

"TS remote: Proto:any, 172.20.2.160-172.20.2.175, Ports:any" refers that remote site is not using mask /24 but /28 instead.

But it is not consistent. Some Proxy IDs show "TS remote: Proto:any, 172.20.2.0-172.20.2.255, Ports:any" referring to /24 mask.

topic Re: Trouble setting up Proxy ID's for a S2S with a Checkpoint peer and continuous rekeys in General Topics

Trouble setting up Proxy ID's for a S2S with a Checkpoint peer and continuous rekeys

Re: Trouble setting up Proxy ID's for a S2S with a Checkpoint peer and continuous rekeys