CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 9 of 9

Thread: IPSec VPN - Site To Site - all session resets time to time

  1. #1
    Join Date
    2017-10-12
    Posts
    4
    Rep Power
    0

    Default IPSec VPN - Site To Site - all session resets time to time

    Hello all,
    I hope that you can help me with reconfiguration IPsec VPN in my ClusterXL (R77.30).
    I have IPsec VPN - Site To Site with other company and I have some issue: some time to time (1-2 time per day) all sessions resets and all employees are disconnected for a moment.


    The Network Engineer from external company said that his gateway (no CheckPoint) establish connection between his two hosts and my all subnet and suggest that I should change settings because my CP gateway establish separately connection/session from my each host instead from my subnet.

    I think that he might has right but I'm not sure how I should change my IPsec VPN settings..
    I've tried change this option: "Control of number of VPN tunnels opened between peer Gateways" from "Open VPN tunnel per each pair of hosts" to "One VPN tunnel per subnet pair"
    but this caused a bigger issue because then I couldn't started any new session.

    I will appreciate if somebody can help me. Maybe in your opinion there is some other reason of my issue?
    Last edited by 4d4sk0; 1 Week Ago at 10:12.

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    612
    Rep Power
    5

    Default Re: IPSec VPN - Site To Site - all session resets time to time

    Quote Originally Posted by 4d4sk0 View Post
    Hello all,
    I hope that you can help me with reconfiguration IPsec VPN in my ClusterXL (R77.30).
    I have IPsec VPN - Site To Site with other company and I have some issue: some time to time (1-2 time per day) all sessions resets and all employees are disconnected for a moment.


    The Network Engineer from external company said that his gateway (no CheckPoint) establish connection between his two hosts and my all subnet and suggest that I should change settings because my CP gateway establish separately connection/session from my each host instead from my subnet.

    I think that he might has right but I'm not sure how I should change my IPsec VPN settings..
    I've tried change this option: "Control of number of VPN tunnels opened between peer Gateways" from "Open VPN tunnel per each pair of hosts" to "One VPN tunnel per subnet pair"
    but this caused a bigger issue because then I couldn't started any new session.

    I will appreciate if somebody can help me. Maybe in your opinion there is some other reason of my issue?
    This is tricky but can be solved. What vendor exactly does your VPN_peer use? You better ask him for Phase2 config then we can act upon it.

  3. #3
    Join Date
    2017-10-12
    Posts
    4
    Rep Power
    0

    Default Re: IPSec VPN - Site To Site - all session resets time to time

    Quote Originally Posted by laf_c View Post
    This is tricky but can be solved. What vendor exactly does your VPN_peer use? You better ask him for Phase2 config then we can act upon it.
    Thanks for reply.
    This is Cisco ASA - I haven't config. I have only parameters of settings like DH Group and SA lifetime.

  4. #4
    Join Date
    2006-09-26
    Posts
    3,022
    Rep Power
    15

    Default Re: IPSec VPN - Site To Site - all session resets time to time

    Quote Originally Posted by 4d4sk0 View Post
    Thanks for reply.
    This is Cisco ASA - I haven't config. I have only parameters of settings like DH Group and SA lifetime.
    what is the ACL on the Cisco ASA? By that I mean the ACL that will encrypt the traffics between Cisco ASA and Checkpoint?

    For example:

    crypto map ipsec 10 match address IPSec_Encryption
    crypto map ipsec 10 set peer 4.2.2.2
    crypto map ipsec 10 set ikev1 transform-set aes256
    crypto map ipsec 10 set security-association lifetime seconds 28800
    crypto map ipsec 10 set security-association lifetime kilobytes 4608000
    crypto map ipsec interface external

    access-list IPSec_Encryption extended permit ip host 192.168.1.1 172.16.1.0 255.255.255.0
    access-list IPSec_Encryption extended permit ip host 192.168.1.2 172.16.1.0 255.255.255.0

  5. #5
    Join Date
    2017-10-12
    Posts
    4
    Rep Power
    0

    Default Re: IPSec VPN - Site To Site - all session resets time to time

    Engineer don't want to share config but it must be like your example. Could you help me based on your example? It's only lifetimes and peer should be different.

    I'm sure that access-lists looks like that:
    access-list IPSec_Encryption extended permit ip host 10.10.10.100 192.168.80.0 255.255.255.0
    access-list IPSec_Encryption extended permit ip host 10.11.10.100 192.168.80.0 255.255.255.0

    and I haven't idea how to set up CheckPoint in order to start establish sessions this way:
    from 192.168.80.0/24 to 10.10.10.100
    from 192.168.80.0/24 to 10.11.10.100

    instead:
    from 192.168.80.*/32 to 10.10.10.100
    from 192.168.80.*/32 to 10.11.10.100

    When I tried to change "Control of number of VPN tunnels opened between peer Gateways" from "Open VPN tunnel per each pair of hosts" to "One VPN tunnel per subnet pair"
    Checkpoint tied to establish session this way:
    from 192.168.80.0/24 to 10.11.0.0/16
    and any new session of course couldn't established

  6. #6
    Join Date
    2006-09-26
    Posts
    3,022
    Rep Power
    15

    Default Re: IPSec VPN - Site To Site - all session resets time to time

    Quote Originally Posted by 4d4sk0 View Post
    It's only lifetimes and peer should be different.
    What do you mean by this? The lifetime for both phase I and phase II must be identical on both sides. Is that confirmed that they are identical on both sides?

  7. #7
    Join Date
    2017-10-12
    Posts
    4
    Rep Power
    0

    Default Re: IPSec VPN - Site To Site - all session resets time to time

    I mean different than lifetime from your example :)
    Of course lifetime is the same on both sides.

  8. #8
    Join Date
    2006-09-26
    Posts
    3,022
    Rep Power
    15

    Default Re: IPSec VPN - Site To Site - all session resets time to time

    Quote Originally Posted by 4d4sk0 View Post
    I mean different than lifetime from your example :)
    Of course lifetime is the same on both sides.
    Have not configured any VPN on checkpoint in a year or so so my memory is not very good.

    did you use GUIdbedit to set the parameter ike_use_largest_possible_subnets from true to false
    Last edited by cciesec2006; 2 Days Ago at 09:09.

  9. #9
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    612
    Rep Power
    5

    Default Re: IPSec VPN - Site To Site - all session resets time to time

    Quote Originally Posted by 4d4sk0 View Post
    Engineer don't want to share config but it must be like your example. Could you help me based on your example? It's only lifetimes and peer should be different.

    I'm sure that access-lists looks like that:
    access-list IPSec_Encryption extended permit ip host 10.10.10.100 192.168.80.0 255.255.255.0
    access-list IPSec_Encryption extended permit ip host 10.11.10.100 192.168.80.0 255.255.255.0

    and I haven't idea how to set up CheckPoint in order to start establish sessions this way:
    from 192.168.80.0/24 to 10.10.10.100
    from 192.168.80.0/24 to 10.11.10.100

    instead:
    from 192.168.80.*/32 to 10.10.10.100
    from 192.168.80.*/32 to 10.11.10.100

    When I tried to change "Control of number of VPN tunnels opened between peer Gateways" from "Open VPN tunnel per each pair of hosts" to "One VPN tunnel per subnet pair"
    Checkpoint tied to establish session this way:
    from 192.168.80.0/24 to 10.11.0.0/16
    and any new session of course couldn't established
    To override what the Checkpoint thinks it should send for Phase2 negotiations editing the appropriate user.def files.
    sk98239 covers which file to use.
    sk108600 Section 1 covers off how to force the correct subnet mask
    subnet_for_range_and_peer = {
    <peerGW_IP, first_IP_in_range1, last_IP_in_the_range1; subnet_mask>,
    <peerGW_IP, first_IP_in_range2, last_IP_in_the_range2; subnet_mask>,
    ... ... ...
    <peerGW_IP, first_IP_in_rangeN, last_IP_in_the_rangeN; subnet_mask>
    };

    subnet_for_range_and_peer = {
    <2.2.2.2, 192.168.0.0, 192.168.1.255; 255.255.254.0>,
    <2.2.2.2, 10.10.0.0, 10.10.255.255; 255.255.0.0>
    };
    #endif /* __user_def__ */
    Would say send when VPN to 2.2.2.2 then use the net masks 192.168.0.0/23 and 10.10.0.0/16 to the 3rd party.
    Last edited by laf_c; 13 Hours Ago at 02:32.

Similar Threads

  1. TCP/UDP connections fail through Site-to-Site IPSec VPN - Check Point 1100
    By DawidK in forum Check Point Series 80/1100 Appliances
    Replies: 4
    Last Post: 2015-12-09, 10:24
  2. IPSEC Site to Site Tunnels Stop Passing Traffic
    By dhrehor in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2013-05-02, 03:59
  3. Time Drift tolerance on site to site VPN community
    By gunnahafta in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 7
    Last Post: 2013-02-11, 00:34
  4. Replies: 9
    Last Post: 2011-11-16, 12:44
  5. Site-to-Site VPN - Invalid Time Information
    By i4uriis in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2007-07-05, 22:25

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •