This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
First of all, what is the other side? Do enc settings match? route or domain based? star or mesh? How is tunnel mgmt option configured? ikev1 or ikev2?
I would review whatever is today's date. Honestly, I feel your best bet is to call TAC, do remote session and Im sure they would be able to figure it out quick. Its not so easy to tell based on these screenshots.
Im sure you are sleeping as Im writting this, but in case tunnel still does not work when Cisco side checks, they can use below simple commands to do a debug and its very light. This is what guy I used to work with who worked for Cisco TAC gave me once.
Okay, can you make sure it shows ikev2 as per my screenshot below? Also, debug shows crypto map errors, which as far as my knowledge of Cisco goes, literally means phase 2 vpn domain proposals are NOT matching, so can you ask them to verify 100% they have right vpn domain for your side?
Andy
IKEv2-PROTO-4: (44926): Processing IKE_AUTH message IKEv2-TIMER: Created an IKEv2 timer of type External service timeout IKEv2-TIMER: Set an IKEv2 timer of type External service timeout for 25 seconds with 0 jitter IKEv2-PLAT-4: (44926): Crypto Map: No proxy match on map Outside_map seq 1 IKEv2-TIMER: Destroy an IKEv2 timer of type External service timeout IKEv2-PROTO-7: (44926): Failed to verify the proposed policies IKEv2-PROTO-2: (44926): There was no IPSEC policy found for received TS
Something else I thought of...so say external peer is 1.2.3.4 (just for sake of commands I want you to run on CP end), please run below when you try to communicate to something on their end (run commands from expert mode of active fw, check which one is active by running cphaprob roles)
This 100% tells me enc domains are NOT matching, so please confirm it again and ask them to verify their Cisco side for YOUR enc domain to make sure it is correct.
Andy
[Expert@checkpointfw01:0]# fw ctl zdebug + drop | grep 172.20.138.198 @;1274658776.23010;[kern];[tid_16];[SIM4];sim (vpn_encrypt): drop due vpn_ipsec_encrypt returns PKT_DROP(3), conn: <10.10.20.121,50629,172.20.138.198,80,6>; @;1274658776.23011;[kern];[tid_16];[SIM4];handle_vpn_encryption: ipsec_encrypt failed: failed to find SA. Dropping packet... conn: <10.10.20.121,50629,172.20.138.198,80,6>; @;1274658776.23012;[kern];[tid_16];[SIM4];sim_pkt_send_drop_notification: (0,0) received drop, reason: Encryption Failed (5), conn: <10.10.20.121,50629,172.20.138.198,80,6>; @;1274658776.23013;[kern];[tid_16];[SIM4];sim_pkt_send_drop_notification: sending packet dropped notification drop mode: 0 debug mode: 1 send as is: 0 track_lvl: -1, conn: <10.10.20.121,50629,172.20.138.198,80,6>;
bandicam 2024-12-20 07-40-44-725.mp4
Video Player is loading.
Current Time 0:00
/
Duration 0:00
Loaded: 0%
0:00
Stream Type LIVE
Remaining Time -0:00
1x
Chapters
descriptions off, selected
captions settings, opens captions settings dialog
captions off, selected
en (Main), selected
This is a modal window.
Beginning of dialog window. Escape will cancel and close the window.
End of dialog window.
This is a modal window. This modal can be closed by pressing the Escape key or activating the close button.
Could you please guide me on how to check what proposal Checkpoint is sending? Additionally, where can I locate that file, and how can I view it using the IKEview tool?
Forgot to mention before, when you download debug files from $FWDIR/log dir, see if there is ike trace file, that one would give you lots of details if you "dump" it into ikeview utility.
Sorry for jumping in so late on this. It does appear to be a mismatch from what I am picking up.
Based on previous replies, are you still doing the tunnel sharing mode of gateway on the Check Point side? If so, does the Cisco side know you are sending a 0.0.0.0/0 IKE ID?
My recommendation would be to use a custom VPN Domain on the Check Point side and go back to tunnel sharing mode of subnet. Just build a new network group object, and add the following items as networks:
10.20.0.0/20 10.12.0.0/21 10.10.20.121/32
As long as Cisco has those 3 subnets defined as "interesting traffic" on their side, it should be fine.
When Mahesh and I did zoom remote, he advised me this was combo of subnets/hosts, so thats why I suggested "per gateway", but they did also try per subnet and it failed.
I am fairly positive at this point something with vpn domains is not matching, hence the reason why this does not work.
The "per gateway" is the Check Point way to go for a mix of network and host objects, agreed, but then Check Point sends 0.0.0.0/0, so the other side would have to know to update to that as well. For Cisco, not sure what that configuration looks like.
I did see the per subnet option was not working, but was that using the global encryption domain? If so, how were the networks defined within that; hopefully, they matched how the workbook was filled out.
I still think for any IPsec VPN your best bet is to use granular encryption domains for every tunnel.
The Cisco debug shows if anything was going to work at that time, it would have been the 10.10.20.121/32.