Error occurred during configuring site-to-site VPN tunnel with Checkpoint firewall
CharithDhananjaya
Newbie ✭
When attempting to configure a site-to-site VPN tunnel between a SonicWall firewall and a Check Point firewall using IKEv2 mode, the Check Point firewall displays the tunnel as "active," while the SonicWall firewall indicates that the tunnel is down. The attached screenshot shows the relevant logs from the SonicWall firewall. There is no communication between the local and remote networks.
Why does only one firewall indicate the tunnel as active, and what steps can be taken to resolve this issue?
Category: Entry Level Firewalls
0
Answers
review the configuration you have put in place on each device.
Check your IKE ID. You will need to set them manually because you're using NAT.
As to why it says Active, that's a Checkpoint question. Perhaps "Active" just means "Not disabled".
From the Checkpoint side they are informed that they are not using IKE IDs.
You cannot not have an IKE ID. So I assume that means they're not setting them manually, and that's why it doesn't work.
Yes they have not setup it manually. Do you have any idea about the default IKE IDs propose by the Checkpoint firewall?
I know nothing about Checkpoint.
The only sensible default, is to use the local and remote address as each IKE ID.
Tried it earlier, but no progress.
IKE id - I would suggest on the Checkpoint is based on IP address - as is the Sonicwall by default.
First try enableing NAT traversal under IPSEC VPN advanced
As your firewall is behind a NAT device, the checkpoint will see the request from the external Natted WAN address but the IKE identifier is the pre-natted address of your firewall WAN (and hence a mismatch)
the SW can use different IKE ID's I use the Firewall Identifier when we have devices in Azure behind an Azure gateway
Im not sure what Checkpoint supports.
Tried but no progress with NAT traversal.
Also Checkpoint VPN tunnel has initiated without both peer and local IKE IDs earlier with a Fortigate firewall.