topic Re: VPN problems - Invalid ID in Spark Firewall (SMB)

VPN problems - Invalid ID

Engii — Sun, 06 Nov 2022 16:02:06 GMT

Hello every one

I can't get up the vpn between two gateways, checking the logs it says "Notification to Peer: invalid id information". I don't understand what it mean by id. Also, the IKE Responder Cookie and Initiator are different. Could it be because of that?

Does anyone know what Invalid id information refers to? and what causes it?

thanks for your help

Re: VPN problems - Invalid ID

_Val_ — Mon, 07 Nov 2022 13:08:30 GMT

First, which version of the GW software and hardware are you using?

IKE VPN ID is a combination of peer IP and its VPN domain. It has to be identical for both parties. If there is a mismatch, you will not be able to open a tunnel.

Re: VPN problems - Invalid ID

the_rock — Mon, 07 Nov 2022 13:19:19 GMT

Most likely phase 2 mismatch somewhere. I would follow below sk:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk115455

Also, on top of that, make sure below 3 settings are set to FALSE in Guidbedit:

ike_enable_supernet
ike_p2_enable_supernet_from_R80.20
ike_use_largest_possible_subnets

I recall even if really old versions of CP, this was an issue where CP always tried to present larger subnet than intended, so say if Cisco is expecting, for example, /28 subnet, CP would have tried to send something bigger, for example/24.

Anyway, had not seen much of that since R80 came out initially, but I would still verify those values.