Site - Site VPN using Carp versus CheckPoint Firewall

  • I had done the below:

                                  |||||||||||||||| CARP a.b.c.d                    
    –--------------------                      --------------  internet -------------------|||||||||||--------------- LAN
    LAN    ||||||||||||||||                                                            check point

    In PFSense A (master)
    1. IPSEC - Tunnel - check on enable IPSEC
    2. Create Tunnel
        Interface : WAN
        Local Subnet : network -
        Remote Subnet :
        Remote gateway :

    Phase 1
        Negotiation Mode : aggressive
        My Identifier : IP address : a.b.c.d (Carp IP)
        Encryption algorithm : 3DES
        Hash algorithm : MD5
        DH Key Group : 2
        Lifetime : 1440
        Authentication Method : pre-shared key
        Pre-shared Key : Secret

    Phase 2
        Protocol : AH
        Encryption algorithms : 3DES
        Hash algorithms : MD5
        PFS Key Group : Off
        Lifetime: 1440

    2. Under Preshared Key
        Identifier :
        Key : Secret

    3. Failover IPSEC
        IP Address : a.b.c.d

    The rules are sync automatically to PFsense B.

    The configuration at Check Point
    Remote gateway - CARP IP a.b.c.d
    Other setting are the same.

    1. I checked under Status IPSEC - SAD, there isn't anything there just have "No IPsec security associations". Does it mean the VPN establishment is failed??

    Any step i missed?


  • Tunnels come up on demand only. Make sure to send some Traffic to the destination of the other subnet. Also make sure the opposite end expects you coming from the CARP IP and not one of the real interface IPs. And of course make sure your a.b.c.d CARP IP works.

    If there is no SAD it means the tunnel is not currently up.

  • 1. i tried to send some traffic to destination network 10.10.x.x. but failed. the log as below:
        Feb 28 14:22:36 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
        Feb 28 14:22:44 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP[500]->a.b.c.d[500]
        Feb 28 14:22:44 racoon: INFO: delete phase 2 handler

    2. Opposite party had set the remote gateway as a.b.c.d (Carp IP). Carp IP is working as when i check my IP address other view me as the Carp IP address.

    Any further advice?

  • this looks like it's not getting response from the checkpoint to me. Is this all that is in the logs?

  • Attached the full log


  • Feb 28 14:23:21 racoon: ERROR: malformed cookie received.

    The checkpoint seems to send something strange. Revisit all parameters and check if they are abolutely identical. Maybe try using mainmode instead of aggressive.