Table of Contents

1. Permanent tunnel support with interoperable devices VPN based on IKEv1/IKEv2 DPD (RFC 3706)
2. Added ike_keep_child_sa_interop_devices kernel parameter to better deal with difference in implementations of tunnel renewal between vendors
3. General improvements in VPN stability

 

 

1. Permanent tunnel support with interoperable devices VPN based on IKEv1/IKEv2 DPD (RFC 3706)

1. Introduction:

   Dead Peer Detection (DPD) is a method of detecting a dead Internet Key Exchange (IKE) peer and reclaiming the lost resources. The method uses IPsec traffic patterns to minimize the number of messages required to confirm the availability of a peer. DPD is an additional keepalive mechanism supported by the Check Point Security Gateway, in addition to the proprietary Check Point protocol, based on Tunnel Testing, to test if VPN tunnels are active.

   The feature also allows monitoring of permanent tunnels based on DPD for both IKEv1 and IKEv2.

   DPD is supported by 3rd Party gateways (such as Cisco, Juniper, etc). DPD is supported in Check Point VPN R77.10 and in older versions as part of IKEv2. (Permanent tunnel based on DPD is supported starting from R77.10.)

   The tunnel testing mechanism is the recommended keeplive mechanism for Check Point to Check Point VPN gateways because this mechanism is based on IPsec traffic and requires an IPsec established tunnel. The DPD mechanism is based on IKE encryption keys only.

2. Feature Mode Description and Configuration

   DPD on the Check Point Security Gateway can be enabled in two modes:

   • DPD responder mode

     Show / Hide instructions
     
     

     Note: This mode can be enabled only when the R77.10 Security Gateway is managed by an R77.10 and higher Security Management Server.

     Check Point Security Gateway sends the IKEv1 DPD Vendor ID to peers, from which the DPD Vendor ID has been received. The following configuration allows this behavior:

     • To enable, run on Check Point Security Gateway:

       [Expert@HostName]# ckp_regedit -a SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload -n 1

     • To disable, run on Check Point Security Gateway:

       [Expert@HostName]# ckp_regedit -d SOFTWARE/CheckPoint/VPN1 forceSendDPDPayload

     Note: In some cases, the Check Point Security Gateway deletes IKE SAs. Since the DPD mechanism is based on IKE SA keys, the peer, mostly a 3rd Party VPN gateway, sends DPD requests without response. Therefore, the remote peer can conclude that the Check Point gateway is down and delete the IKE and IPsec keys. If traffic is initiated by the Check Point gateway and IPsec keys were removed from the remote peer, encrypted traffic will be dropped by the remote peer.

     In order to avoid this problem, the keep_IKE_SAs property should be enabled in SmartDashboard:

     1. Go to Policy menu - click on Global Properties
     2. Go to SmartDashboard Customization - click on Configure... button
     3. Expand VPN Advanced Properties - click on VPN IKE properties - check the box keep_IKE_SAs
     4. Click on OK
     5. Install policy

     
     
     

   • Permanent Tunnel based on DPD mode

     Show / Hide instructions
     
     

     Note: This mode can be enabled only when the R77.10 Security Gateway is managed by an R77.10 and higher Security Management Server.

     DPD can be used by the Check Point Security Gateway in order to monitor remote peers with the permanent tunnel feature. All related behavior and configurations of permanent tunnel are supported.

     To configure DPD for a permanent tunnel, the permanent tunnel should be configured in the VPN community. For more information, refer to R77 versions VPN Administration Guide - Chapter "Working with Site-to-Site VPN" - section "Tunnel Management" - sub-section "Overview of Tunnel Management" - sub-section "Permanent Tunnels". Once the permanent tunnel is enabled, the permanent tunnel mode should be configured.

     To enable the DPD monitoring, each VPN Gateway in the VPN community, which should be monitored with DPD, should be configured with the tunnel_keepalive_method property, including 3rd party VPN gateway (there is no possibility to configure different monitor mechanisms for the same gateway).

     There are three possibilities for the tunnel_keepalive_method parameter, representing three permanent tunnel modes:

     • tunnel_test (default) - Permanent tunnel is monitored by tunnel test (as in former versions) works only between Check Point gateways.
       
       
     • dpd - Defines the active DPD mode. A peer receives DPD requests at regular intervals (10 seconds). This method has to be used for IKEv2 configuration.
       
       
     • passive - Defines the passive DPD mode. Other peers do not send DPD requests to this peer. Tunnels with passive peers are monitored according to existence of IPSec traffic and incoming DPD requests. (In tunnel test, we always send keepalive packets.)
       Note: To use this mode for some gateway, remote peers should be enabled with the forceSendDPDPayload registry key (relevant for Check Point remote peers only).

     The tunnel_keepalive_method property can be edited in GuiDBedit Tool:

     1. Connect with SmartDashboard to Security Management Server / Domain Management Server.
        
        
     2. Go to File menu - click on Database Revision Control... - create a revision snapshot.
        Note: Database Revision Control is not supported for VSX objects (sk65420).
        
        
     3. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).
        
        
     4. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.
        
        
     5. In the upper left pane, go to Table - Network Objects - network_objects.
        
        
     6. In the upper right pane, select the relevant Security Gateway / Cluster object.
        
        
     7. Press CTRL+F (or go to Search menu - Find) - paste tunnel_keepalive_method - click on Find Next.
        
        
     8. In the lower pane, right-click on the tunnel_keepalive_method - select Edit... - select the relevant mode (tunnel_test / dpd / passive) - click on OK.
        
        
     9. Save the changes: go to File menu - click on Save All.
        
        
     10. Close the GuiDBedit Tool.
         
         
     11. Connect with SmartDashboard to Security Management Server / Domain Management Server.
         
         
     12. Install the policy onto the relevant Security Gateway / Cluster object.

3. Additional Configuration

   There are several possibilities to define feature behavior under different conditions.

   • IKE Initiation prevention

     By default, when a valid IKE SA is not available, a DPD request message will trigger a new IKE negotiation.
     To prevent this behavior, set the property dpd_allowed_to_init_ike to "false" in GuiDBedit Tool:

     Show / Hide instructions
     
     

     1. Connect with SmartDashboard to Security Management Server / Domain Management Server.
        
        
     2. Go to File menu - click on Database Revision Control... - create a revision snapshot.
        Note: Database Revision Control is not supported for VSX objects (sk65420).
        
        
     3. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).
        
        
     4. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.
        
        
     5. In the upper left pane, go to Table - Network Objects - network_objects.
        
        
     6. In the upper right pane, select the relevant Security Gateway / Cluster object.
        
        
     7. Press CTRL+F (or go to Search menu - Find) - paste dpd_allowed_to_init_ike - click on Find Next.
        
        
     8. In the lower pane, right-click on the dpd_allowed_to_init_ike - select Edit... - select "false" - click on OK.
        
        
     9. Save the changes: go to File menu - click on Save All.
        
        
     10. Close the GuiDBedit Tool.
         
         
     11. Connect with SmartDashboard to Security Management Server / Domain Management Server.
         
         
     12. Install the policy onto the relevant Security Gateway / Cluster object.

   • Delete IKE SAs for dead peer

     According to RFC 3706, a VPN gateway has to delete IKE SAs from a dead peer. This functionality is enabled by default.

     To disable this feature, the value of environment variable DPD_DONT_DEL_SA has to be set to "0":

     Show / Hide instructions
     
     

     • To set the value on-the-fly (does not survive reboot):

       1. Stop Check Point services:

          [Expert@HostName]# cpstop

       2. Set the value of environment variable:

          [Expert@HostName]# export DPD_DONT_DEL_SA=0

       3. Start Check Point services:

          [Expert@HostName]# cpstart

     • To set the value permanently:

       1. Add the following line to the $CPDIR/tmp/.CPprofile.sh file:

          DPD_DONT_DEL_SA=0 ; export DPD_DONT_DEL_SA

       2. Restart Check Point services:

          [Expert@HostName]# cpstop ; cpstart

      

     To re-enable the feature, the environment variable DPD_DONT_DEL_SA should be removed:

     • To remove the environment variable on-the-fly (does not survive reboot):

       Note: These commands will work only if this environment variable is not defined in the $CPDIR/tmp/.CPprofile.sh file.

       1. Stop Check Point services:

          [Expert@HostName]# cpstop

       2. Set the value of environment variable:

          [Expert@HostName]# unset DPD_DONT_DEL_SA

       3. Start Check Point services:

          [Expert@HostName]# cpstart

     • To remove the environment variable permanently:

       1. Delete the following line from the $CPDIR/tmp/.CPprofile.sh file:

          DPD_DONT_DEL_SA=0 ; export DPD_DONT_DEL_SA

       2. Restart Check Point services:

          [Expert@HostName]# cpstop ; cpstart

4. Implementation notes

   There are two ways to detect remote peer liveliness:

   1. DPD response has been received from remote peer.
      
      
   2. Incoming decrypted traffic has been received.
      In this case, no DPD request will be sent (this functionality is not supported when SecureXL is enabled and decrypted traffic is handled in it. When SecureXL is enabled, a DPD request will always be sent).

 

2. Added ike_keep_child_sa_interop_devices kernel parameter to better deal with difference in implementations of tunnel renewal between vendors

Random connectivity problems might occur with 3rd Party VPN peers because Check Point Security Gateway deletes all Phase2 keys for a specific Phase1 SA after a Phase1 renegotiation. VPN solutions from other vendors continue to use the same Phase2 keys until their normal expiration time. This causes something like a race condition where the VPN tunnel will drop for about 10-15 minutes until the two VPN peers can get SAs back in sync and the VPN tunnel negotiations are completed.

For more details, refer to Scenario 4 in s108600 - VPN Site-to-Site with 3rd party.

To disable IPsec SAs deletion on IKE SA delete, a new configuration parameter was introduced in R77.10 - ike_keep_child_sa_interop_devices.
By default, the value of this configuration parameter is set to true (by default, IPsec SAs will not be deleted on IKE SA delete).

 

3. General improvements in VPN stability

See R77.10 Resolved Issues.

This solution is about products that are no longer supported and it will not be updated