IPSEC Phase 2 Rekey Tunnel Goes Down and Won't Com...

sx8n20394

I have been having an extremely hard time setting up a new site-to-site VPN between our 1535 Quantum Spark appliance and a Cisco ASA appliance.

Details:

The client will only accept WAN IP addresses when setting up the encryption domains on both sides. We originally had an encryption domain issue that was resolved on a call with the client tech support. We don't have any other WAN IP addresses other than our main WAN connection so I told them to use that address. After they reset the tunnel on their end, the tunnel came up and we thought we were good to go. After an hour, I got the following notification:

Informational exchange: Received delete IPsec SA request for: 0x0c3ed3e0.

After this alert, the tunnel went down and would not come back up. I cleared all IKE+IPSEC SAs via CLI and the tunnel refused to come up and I now get the same error I received before we fixed the encryption domains.

Initial exchange: Exchange failed: timeout reached & Auth exchange: Received notification from peer: Traffic selectors unacceptable

Also this: Informational exchange: Sending notification to peer: Invalid IKE SPI IKE SPIs

Why was the tunnel able to come up and work fine then not be able to rekey on Phase 2 after the 3600 seconds?

Unfortunately, Checkpoint support hasn't been very helpful and I honestly don't expect them to be since this may be the result of us trying to connect to a 3rd party gateway.

Does anyone have any helpful tips?

AkosBakos

Hi @sx8n20394

I suppose that, there are mismatch between the two authentication config. Especially I suppose that the phase2 renegotiate timer mismatch.

Here is a screenshot of a config from a SmartConsole. Yes I know tat, you have locally management Spark appliance, but there are the same settings avaialble

Double check the timers (and the unit of the mesure). As you can see on the screenshot, there are seconds, and minutes are in use on a same pane.

Akos

----------------
\m/_(>_<)_\m/

sx8n20394

Everything matches for each phase.

CaseyB

You guys have a mismatch of encryption domains, it is telling you that with the error:

Initial exchange: Exchange failed: timeout reached & Auth exchange: Received notification from peer: Traffic selectors unacceptable
- Cisco is rejecting your offer because it doesn't match what they have defined for you.

Sometimes you might see this a lot:

Cisco -> CheckPoint (Phase 2 accepted)
Cisco -> CheckPoint (Phase 2 accepted)
Cisco -> CheckPoint (Phase 2 accepted)
CheckPoint -> Cisco (Rejected)

So, depending on who is always doing the traffic initiation, you might get the false impression that the tunnel is working properly when it is not. I find that due to the way Check Point handles encryption domains by default, it is pretty promiscuous when building tunnel traffic as opposed to other third-parties.

sx8n20394

Well the tunnel was up and we were able to send traffic which is why we thought it was all set. It became a problem after the Phase 2 rekey which brought the tunnel down. I honestly don't know what to do because we only have 1 WAN IP and that is what the client has on their side. All of the domains they sent over are correct, I just don't know about my own encryption domain because I never setup S2S with WAN IPs in the encryption domain.

Are you a member of CheckMates?

IPSEC Phase 2 Rekey Tunnel Goes Down and Won't Come Back Up