Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Fleming
Advisor

IKEv2 issues with R80.30 JHA 166 - traffic selectors unacceptable

Hi all, I'm having an issue with IKEv2 support. Tunnel management is set to tunnel per host. Access is basically /32 to /32. Tunnel fails during phase 2. We did some debugging via ikeview and everything looked ok. After looking at vpnd.elg (vpn debug on) I noticed I could see where the remote internal IP would be checked against the contents of the remote firewalls encryption domain. BTW there is src and dst nats on the local checkpoint gateway as well.

This is what I see in the debugs. Not word for word just high level.

Searching for remote internal IP (pre nat IP address)

comparing against external IP of remote VPN peer - no match

comparing against NAT IP (post nat IP) of remote internal host - no match

comparing against 224.0.0.0/24 - no match

Error traffic selectors unacceptable

 

Whats odd is its not searching all the hosts in the remote encryption domain. There are 9 IPs in the remote enc domain. For sure the internal remote host is in the encryption domain of the remote firewall (interop device) as well. Also I have no idea where the multicast subnet came from. Its not part of any of the configs.

We just switched everything to IKEv1 and things are coming up now. I see a few ikev2 updates after 166. We haven't opened a ticket yet just though I would ask here first. We're going to try switching it back to ikev2 just to be %100 where the issue is tomorrow.

Oh remote gateway is a ASA so my sympathy goes out to them. That being said sure feels like a bug on the checkpoint side.

0 Kudos
2 Replies
Tobias_Moritz
Advisor

Just a wild guess here...

Do you use host objects or network objects (/32) in the remote encryption domain object? If you are using host objects, can you try again with network objects?

0 Kudos
John_Fleming
Advisor

/32 network objects?? Heresy I say!

kidding aside... we just flipped everything back to ikev2 and it came up. I can now see the search rolling through on the contents of the remove encryption domain.

I really wish this wouldn't have worked. I think we're going to stick to ikev2 and see what happens. 

0 Kudos