topic Ipsec VPN issue with checkpoint in General Topics

Ipsec VPN issue with checkpoint

Satish — Wed, 22 Jul 2015 15:51:26 GMT

Hi Friends,

We have an IPsec VPN tunnel configured with CheckPoint firewall.

Basically, when our Phase 1 expires after 24 hours, if a Phase 2 key is still within its 1 hour lifetime, we receive no response back.

Only after the Phase 2 key expires and a new Phase 1 SA is negotiated that we can pass traffic. This happens every day, exactly when Phase 1 expires:

Please suggest.

Regards

Satish

Re: Ipsec VPN issue with checkpoint

andreip — Wed, 22 Jul 2015 21:17:55 GMT

From CKPT's sk42315:

"Based on the IKE debug, see that after the Main Mode key negotiation, the 3rd party VPN device deletes the phase2 SPI, and similarly after the phase2 key negotiation, it deletes the SPI. This is due to a difference in how Check Point and some 3rd party peers handle phase2 keys after a phase1 renegotiation.

Check Point also deletes all phase2 keys for a specific phase1 SA after a phase1 renegotiation. Others continue to use the same phase2 keys until their normal expiry time. This causes something like a race condition where the tunnel will drop for about 10-15 minutes until the 2 peers can get SAs back in sync and the tunnel completes the negotiations.

Solution

This problem was fixed. The fix is included in: Check Point R77.10

Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway).

For lower / other versions, modify the settings on the Check Point Security Gateway to be consistent with the 3rd party settings.

Proceed as follows: On the Check Point Security Gateway, run:

ckp_regedit -a SOFTWARE/CheckPoint/VPN1 DontDelIpsecSPI_OnP1Del -n 1

Run cpstop Run cpstart

Run the command cat HKLM_registry.data | grep DontDel from $CPDIR/registry and verify the output."

Re: Ipsec VPN issue with checkpoint

Satish — Thu, 23 Jul 2015 16:29:45 GMT

Hi Andreip,

we are already running R77.20.

Regards

Satish

Re: Ipsec VPN issue with checkpoint

andreip — Thu, 23 Jul 2015 21:45:39 GMT

Hi Satish,

Based on your previous discussions, I assume you already checked the DPD & tunnel monitoring on PANW side.

Cluster on CKPT side ?

To understand which side is persisting on using the expired P1 I would do it the hard way, disabling SecureXL & clearing P1 and running VPND under debug for a while (export TDERROR_ALL_ALL=5 && export VPND_DEBUG=1 && cpstop -fwflag -proc && cpstart) or plain vpn debug trunc & analysis in IKEView on CKPT side & correlating info with debug ike global on debug & tail follow yes mp-log ikemgr.log on PANW side.

Best regards,

andreip

Re: Ipsec VPN issue with checkpoint

glastra1 — Wed, 05 Aug 2015 21:48:18 GMT

Check logs on both sites during the rekey or down time. In checkpoint(cp) just filter by public IP address to see the rekeys in smarviewtracker, in PAN it's showed in the system logs subtype VPN.

Could be several things:

-Cp has support for DPD in your current version, try enabling/disabling DPD on both sites. In checkpoint you need to set up a 'Permanent tunnel'

-Proxy mismatch, checkpoint creates supernetting by default. The most easy thing is to select "One SA per gateway" under "Tunnel management" in your VPN community (checkpoint) and no using proxy-ID in your PA.

Give them a try but the logs will help you out. If that doesn't work try setting up debugs on both sides or opening a support case with the 'Responder' firewall vendor.

regards,