CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 6 of 6

Thread: IPSec VPN - Site To Site - all session resets time to time

  1. #1
    Join Date
    2017-10-12
    Posts
    3
    Rep Power
    0

    Default IPSec VPN - Site To Site - all session resets time to time

    Hello all,
    I hope that you can help me with reconfiguration IPsec VPN in my ClusterXL (R77.30).
    I have IPsec VPN - Site To Site with other company and I have some issue: some time to time (1-2 time per day) all sessions resets and all employees are disconnected for a moment.


    The Network Engineer from external company said that his gateway (no CheckPoint) establish connection between his two hosts and my all subnet and suggest that I should change settings because my CP gateway establish separately connection/session from my each host instead from my subnet.

    I think that he might has right but I'm not sure how I should change my IPsec VPN settings..
    I've tried change this option: "Control of number of VPN tunnels opened between peer Gateways" from "Open VPN tunnel per each pair of hosts" to "One VPN tunnel per subnet pair"
    but this caused a bigger issue because then I couldn't started any new session.

    I will appreciate if somebody can help me. Maybe in your opinion there is some other reason of my issue?
    Last edited by 4d4sk0; 4 Days Ago at 10:12.

  2. #2
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    611
    Rep Power
    5

    Default Re: IPSec VPN - Site To Site - all session resets time to time

    Quote Originally Posted by 4d4sk0 View Post
    Hello all,
    I hope that you can help me with reconfiguration IPsec VPN in my ClusterXL (R77.30).
    I have IPsec VPN - Site To Site with other company and I have some issue: some time to time (1-2 time per day) all sessions resets and all employees are disconnected for a moment.


    The Network Engineer from external company said that his gateway (no CheckPoint) establish connection between his two hosts and my all subnet and suggest that I should change settings because my CP gateway establish separately connection/session from my each host instead from my subnet.

    I think that he might has right but I'm not sure how I should change my IPsec VPN settings..
    I've tried change this option: "Control of number of VPN tunnels opened between peer Gateways" from "Open VPN tunnel per each pair of hosts" to "One VPN tunnel per subnet pair"
    but this caused a bigger issue because then I couldn't started any new session.

    I will appreciate if somebody can help me. Maybe in your opinion there is some other reason of my issue?
    This is tricky but can be solved. What vendor exactly does your VPN_peer use? You better ask him for Phase2 config then we can act upon it.

  3. #3
    Join Date
    2017-10-12
    Posts
    3
    Rep Power
    0

    Default Re: IPSec VPN - Site To Site - all session resets time to time

    Quote Originally Posted by laf_c View Post
    This is tricky but can be solved. What vendor exactly does your VPN_peer use? You better ask him for Phase2 config then we can act upon it.
    Thanks for reply.
    This is Cisco ASA - I haven't config. I have only parameters of settings like DH Group and SA lifetime.

  4. #4
    Join Date
    2006-09-26
    Posts
    3,018
    Rep Power
    15

    Default Re: IPSec VPN - Site To Site - all session resets time to time

    Quote Originally Posted by 4d4sk0 View Post
    Thanks for reply.
    This is Cisco ASA - I haven't config. I have only parameters of settings like DH Group and SA lifetime.
    what is the ACL on the Cisco ASA? By that I mean the ACL that will encrypt the traffics between Cisco ASA and Checkpoint?

    For example:

    crypto map ipsec 10 match address IPSec_Encryption
    crypto map ipsec 10 set peer 4.2.2.2
    crypto map ipsec 10 set ikev1 transform-set aes256
    crypto map ipsec 10 set security-association lifetime seconds 28800
    crypto map ipsec 10 set security-association lifetime kilobytes 4608000
    crypto map ipsec interface external

    access-list IPSec_Encryption extended permit ip host 192.168.1.1 172.16.1.0 255.255.255.0
    access-list IPSec_Encryption extended permit ip host 192.168.1.2 172.16.1.0 255.255.255.0

  5. #5
    Join Date
    2017-10-12
    Posts
    3
    Rep Power
    0

    Default Re: IPSec VPN - Site To Site - all session resets time to time

    Engineer don't want to share config but it must be like your example. Could you help me based on your example? It's only lifetimes and peer should be different.

    I'm sure that access-lists looks like that:
    access-list IPSec_Encryption extended permit ip host 10.10.10.100 192.168.80.0 255.255.255.0
    access-list IPSec_Encryption extended permit ip host 10.11.10.100 192.168.80.0 255.255.255.0

    and I haven't idea how to set up CheckPoint in order to start establish sessions this way:
    from 192.168.80.0/24 to 10.10.10.100
    from 192.168.80.0/24 to 10.11.10.100

    instead:
    from 192.168.80.*/32 to 10.10.10.100
    from 192.168.80.*/32 to 10.11.10.100

    When I tried to change "Control of number of VPN tunnels opened between peer Gateways" from "Open VPN tunnel per each pair of hosts" to "One VPN tunnel per subnet pair"
    Checkpoint tied to establish session this way:
    from 192.168.80.0/24 to 10.11.0.0/16
    and any new session of course couldn't established

  6. #6
    Join Date
    2006-09-26
    Posts
    3,018
    Rep Power
    15

    Default Re: IPSec VPN - Site To Site - all session resets time to time

    Quote Originally Posted by 4d4sk0 View Post
    It's only lifetimes and peer should be different.
    What do you mean by this? The lifetime for both phase I and phase II must be identical on both sides. Is that confirmed that they are identical on both sides?

Similar Threads

  1. TCP/UDP connections fail through Site-to-Site IPSec VPN - Check Point 1100
    By DawidK in forum Check Point Series 80/1100 Appliances
    Replies: 4
    Last Post: 2015-12-09, 10:24
  2. IPSEC Site to Site Tunnels Stop Passing Traffic
    By dhrehor in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2013-05-02, 03:59
  3. Time Drift tolerance on site to site VPN community
    By gunnahafta in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 7
    Last Post: 2013-02-11, 00:34
  4. Replies: 9
    Last Post: 2011-11-16, 12:44
  5. Site-to-Site VPN - Invalid Time Information
    By i4uriis in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2007-07-05, 22:25

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •