topic Re: Ikev2 Phase2 is not getting up in General Topics

Ikev2 Phase2 is not getting up

MaheshCheck — Tue, 17 Dec 2024 13:58:29 GMT

Can anyone help me to resolve the issue

IKEv2 Phase2 is not getting up and configuration seems to be fine from both the sides

Version :R81.20

Re: Ikev2 Phase2 is not getting up

AkosBakos — Tue, 17 Dec 2024 14:21:00 GMT

Hi @MaheshCheck

Everyone of us, were is similiar situations. Please provide more info about the issue.

I suppose this is a s2s VPN connection.

What is GW version and jumbo take?

Until this try the followings:

reset the tunnel on both sides
check the ENC_DOMs on both sides, maybe eg.: somewhere the netmask is wrong

And check this SK: https://support.checkpoint.com/results/sk/sk60318

Akos

Re: Ikev2 Phase2 is not getting up

the_rock — Tue, 17 Dec 2024 14:29:40 GMT

We need way more info in order to help properly.

First of all, what is the other side? Do enc settings match? route or domain based? star or mesh? How is tunnel mgmt option configured? ikev1 or ikev2?

Any logs indicating the failure?

Andy

Re: Ikev2 Phase2 is not getting up

MaheshCheck — Tue, 17 Dec 2024 16:30:44 GMT

Yes ,its S2S VPN

Firewall version is R81.20 Jumbo Hotfix Take 84

When we select single host ,the tunnel is getting up however whenever we select network , the tunnel is not coming up

We have checked the configuration from both the sides and all network details are correct

reset the tunnel on both sides-tried but not working

Re: Ikev2 Phase2 is not getting up

MaheshCheck — Tue, 17 Dec 2024 16:31:48 GMT

Domain based ,Star,IKev2

Cisco is peer

Re: Ikev2 Phase2 is not getting up

the_rock — Tue, 17 Dec 2024 16:33:23 GMT

If its combo of hosts/subnets. then please try "per gateway"

If that fails, run simple vpn debug.

vpn debug trunc

vpn debug ikeon

-generate traffic

vpn debug ikeoff

fw ctl debug 0

Get ike* and vpnd* files from $FWDIR/log dir

Message me directly, we can do remote, Im confident I can help you.

Andy

Re: Ikev2 Phase2 is not getting up

MaheshCheck — Tue, 17 Dec 2024 16:34:40 GMT

Re: Ikev2 Phase2 is not getting up

MaheshCheck — Tue, 17 Dec 2024 16:49:37 GMT

There are so manu Ike fiels so which one i have to take

attached screenshot for reference

Re: Ikev2 Phase2 is not getting up

MaheshCheck — Tue, 17 Dec 2024 16:50:33 GMT

Re: Ikev2 Phase2 is not getting up

the_rock — Tue, 17 Dec 2024 17:02:02 GMT

I would review whatever is today's date. Honestly, I feel your best bet is to call TAC, do remote session and Im sure they would be able to figure it out quick. Its not so easy to tell based on these screenshots.

Andy

Re: Ikev2 Phase2 is not getting up

the_rock — Tue, 17 Dec 2024 18:22:44 GMT

Hey,

Im in the zoom meeting waiting, so if you are free, please join, Im good till 2.30 pm est.

Andy

Re: Ikev2 Phase2 is not getting up

the_rock — Tue, 17 Dec 2024 20:26:07 GMT

Hey Mahesh,

Just send me your email in direct message, we can connect offline. Not sure what country you are in, but Im in Canada EST (GMT-5)

Andy

Re: Ikev2 Phase2 is not getting up

MaheshCheck — Wed, 18 Dec 2024 15:44:56 GMT

I am in india(IST) GMT+5:30

Re: Ikev2 Phase2 is not getting up

the_rock — Wed, 18 Dec 2024 15:46:04 GMT

Just messaged you offline.

Andy

Re: Ikev2 Phase2 is not getting up

the_rock — Thu, 19 Dec 2024 01:06:24 GMT

Hey everyoone,

Just to update on this, had zoom remote with @MaheshCheck and below are my notes. I feel good now if Cisco side resets the tunnel, it will work fine, but Mahesh will let us know for sure once they do it.

Andy

NOTES FROM THE CALL:

-zoom with Mahesh
-we enabled tunnel mgmt as per gateway since its combo of hosts/subnets
-installed policy
-first time config, never worked before
-Cisco mentioned phase 2 selectors are not matching
-peer ip x.x.x.x

below guidbedit settings should be set to FALSE to avoid any supernetting:

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

peer -> xyz_gateway

we made sure guidbedit settings were set to false, changed last one -> ike_use_largest_possible_subnets

installed policy -> now tunnel shows UP

Mahesh will ask other side to check tomorrow and let us know

Re: Ikev2 Phase2 is not getting up

the_rock — Wed, 18 Dec 2024 18:13:09 GMT

Hey Mahesh,

Im sure you are sleeping as Im writting this, but in case tunnel still does not work when Cisco side checks, they can use below simple commands to do a debug and its very light. This is what guy I used to work with who worked for Cisco TAC gave me once.

Hope it helps (if needed)

Andy

debug vpn:

debug crypto condition peer x.x.x.x

debug crypto ikev1 200

debug crypto ipsec 200

to cancel all debugs-> undebug all

Re: Ikev2 Phase2 is not getting up

MaheshCheck — Thu, 19 Dec 2024 08:49:47 GMT

Thanks Andy. I have shared the above output with Vendor and will let you know results once i hear back from him.

Re: Ikev2 Phase2 is not getting up

the_rock — Thu, 19 Dec 2024 12:37:52 GMT

Sounds good, I feel good about the outcome...fingers crossed!

Andy

Re: Ikev2 Phase2 is not getting up

MaheshCheck — Thu, 19 Dec 2024 18:00:40 GMT

Hi Andy,

The tunnel is not coming up .I took debug output from cisco vendor and also attached Tunnel details

Could you please look into debug output and is cisco sending wrong proposal? please suggest

attached files

Re: Ikev2 Phase2 is not getting up

the_rock — Thu, 19 Dec 2024 18:02:30 GMT

Thats a bummer : -(. O well, lets see what we can do. I will review soon.

Andy