CCR1009 IpSec site-to-site with Checkpoint R77.30

RouterOS General
1

Hi everybody,

I have a problem with the site-to-site configuration of these two devices.
The tunnel is working, but a little bit unreliable, and i getting these error messages in the log on the Mikrotik box:

peer sent packet for dead phase2.

Here is my configuration:
[admin@gw] > /ip ipsec proposal print
Flags: X - disabled, * - default
0 * name=“default” auth-algorithms=sha1 enc-algorithms=aes-256-cbc lifetime=30m pfs-group=modp1024

[admin@gw] > /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 R address=xxx/32 local-address=xxx/32 passive=yes auth-method=pre-shared-key secret=“xxx” generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey
compatibility-options=skip-peer-id-validation hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=1d dpd-interval=disable-dpd

[admin@gw] > /ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default
0 T * ;;; default template
group=default src-address=::/0 dst-address=::/0 protocol=all proposal=windowsproposals template=yes

1 src-address=aaa/29 src-port=any dst-address=bbb/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=xxx sa-dst-address=xxx proposal=default priority=0 ph2-count=1


Have anybody some ideas why im receiving these errors?

Thanks for your suggestions!

Regards,
Zoltan

2

Hi

We had the same issue with CP UTM FW and mikrotik. End story with no luck :confused:
Tunnel was unstable, we had errors when traffic flows in encrypted tunnel.
GRE encapsulation - with no luck :confused:

I thought that something special with Checkpoint FW “IPSec“ site2site.
CP excellent works with another CP, sometimes with Cisco FW.

All off checkpoints FW we decided to change for mikrotik hex r3 or ccr

Good luck!

3

Check all the timing in phase2 (proposal) and phase1 (peer), they must be equal on both sides.
Also set NTP client on both endpoints with the same server, so that they are as much in sync as possible.
Some FWs have more re-keying options than time, such as amount of data. Be sure to disable them and let only the time based one.
You can also increase the amount of time for re-keying, for example 8h on ipsec proposal (on both sides) and see if you get less errors.