WatchGuard & Checkpoint site2site routing problem

JimBetrayedme · March 6, 2025, 5:43am

Hi I have a Watchguard T30 in Western Australia and a Checkpoint Quantum Spark in Melbourne.

Checkpoint is at the head office and Western Australia is a branch.

In Western Australia, the internet is vdsl so it’s being bridged from ISP modem/router to the Watchguard.

When we do a site-to-site vpn between the two it works fine but after about 30 min it breaks the connection. I changed the renegotiate from 8 hours to 12 hours it lasted around 3 hours.

Does anyone know what’s happening and how to fix this ?

LtLawl · March 6, 2025, 5:43am

My guess would be a mismatch on encryption domains between the two sites. I would do a review and see what IKE IDs are being sent between the two gateways. You should be able to capture some VPN debugs on the Check Point side and review.

dizzysn · March 6, 2025, 5:43am

Have you checked the logs to get any indication of what’s happening? Is phase 1 or 2 failing?

Bath-No · March 6, 2025, 5:43am

I’d check out your MTU and MSS configs.

When you say breaks connection, do you mean the tunnel flaps, the tunnel drops entirely, you drop packets, latency, or what?

binaryboyatlarge · March 6, 2025, 5:43am

Did you open a ticket with CP or WG?

rh681 · March 6, 2025, 5:43am

My first thought is don’t do VPN on Checkpoint if you have a choice. It’s probably not the answer you want, but it’s the answer I can give.

OhioIT · March 6, 2025, 5:43am

My guess would be a mismatch on encryption domains between the two sites.

This was my first thought too. Years ago, Check Points loved to change the encryption domain to fit whatever it thought it wanted to randomly, which was fine if you had all CP firewalls. Check Point was fantastic at everything else, but VPN… no thanks. Plenty of debugging options on Check Points, and I’m sure on WatchGuard too