Trouble setting up Proxy ID's for a S2S with a Checkpoint peer and continuous rekeys

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Trouble setting up Proxy ID's for a S2S with a Checkpoint peer and continuous rekeys

L0 Member

Hello,

I'm quite new to PA and not much firewall experience.

We are having trouble with a S2S VPN with a partner who has a Checkpoint FW. The clients are on our side, the server is on their side.

What I see in our logs are constant rekeys for the IKEV2 tunnel every 2-3 seconds:

 

ipsec-key-expire
ikev2-send-p2-delete
ipsec-key-delete
ikev2-nego-child-start
ipsec-key-install
ikev2-nego-child-succ

 

Proxy ID's are set up like this:

PID.jpg

 

If I run this is CLI: show vpn ike-sa detail gateway

I get this output:

 

Child SA 2035428:
Tunnel 2 TUNNEL_To_Partner:PID2
Type: ESP Resp
State: Mature
Message ID: 000027BD
Parent SN: 3948
SPI: BA19115F : CA352900 <= ESP: E485B975
Algorithm: AES256/SHA256/DH14
TS local: Proto:any, 172.17.110.99-172.17.110.99, Ports:any
TS remote: Proto:any, 172.20.2.160-172.20.2.175, Ports:any
Created: Sep.24 15:36:53, 12 minutes 19 seconds ago
Expires: Sep.24 16:36:53, rekey in 37 minutes 34 seconds (2993 sec)

 

Child SA 2035924:
Tunnel 3 TUNNEL_To_Partner:PID3
Type: ESP Resp
State: Mature
Message ID: 000028B7
Parent SN: 3948
SPI: F25D7BD6 : D8D84325 <= ESP: 713CB68D
Algorithm: AES256/SHA256/DH14
TS local: Proto:any, 172.17.112.0-172.17.112.255, Ports:any
TS remote: Proto:any, 172.20.2.160-172.20.2.175, Ports:any
Created: Sep.24 15:46:46, 2 minutes 26 seconds ago
Expires: Sep.24 16:46:46, rekey in 48 minutes 19 seconds (3045 sec)

 

Child SA 2036040:
Tunnel 1 TUNNEL_To_Partner:PID1
Type: ESP Resp
State: Expired
Message ID: 000028F2
Parent SN: 3948
SPI: 845D756C : 33FE5E08
Algorithm: AES256/SHA256/DH14
TS local: Proto:any, 10.150.0.0-10.150.7.255, Ports:any
TS remote: Proto:any, 172.20.2.0-172.20.2.255, Ports:any
Created: Sep.24 15:49:08, 4 seconds ago
Expires: Sep.24 16:49:08, rekey in 49 minutes 57 seconds (3001 sec)

 

Child SA 2036042:
Tunnel 1 TUNNEL_To_Partner:PID1
Type: ESP Resp
State: Mature
Message ID: 000028F3
Parent SN: 3948
SPI: D04D11A8 : D1CE9B22
Algorithm: AES256/SHA256/DH14
TS local: Proto:any, 10.150.0.0-10.150.7.255, Ports:any
TS remote: Proto:any, 172.20.2.160-172.20.2.175, Ports:any
Created: Sep.24 15:49:10, 2 seconds ago
Expires: Sep.24 16:49:10, rekey in 51 minutes 24 seconds (3086 sec)

 

Child SA 2036044:
Tunnel 1 TUNNEL_To_Partner:PID1
Type: ESP Resp
State: Mature
Message ID: 000028F4
Parent SN: 3948
SPI: 94F129BA : 272CD454
Algorithm: AES256/SHA256/DH14
TS local: Proto:any, 10.150.0.0-10.150.7.255, Ports:any
TS remote: Proto:any, 172.20.2.0-172.20.2.255, Ports:any
Created: Sep.24 15:49:12, 0 second ago
Expires: Sep.24 16:49:12, rekey in 48 minutes 27 seconds (2907 sec)

 

So for PID1 I get multiple child SA's with sometimes different TS remote settings.

Is this a problem on the peer checkpoint side? I don't have access to the config there.

1 REPLY 1

Cyber Elite
Cyber Elite

"TS remote: Proto:any, 172.20.2.160-172.20.2.175, Ports:any" refers that remote site is not using mask /24 but /28 instead.

But it is not consistent. Some Proxy IDs show "TS remote: Proto:any, 172.20.2.0-172.20.2.255, Ports:any" referring to /24 mask.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 436 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!