Hi all, I'm having an issue with IKEv2 support. Tunnel management is set to tunnel per host. Access is basically /32 to /32. Tunnel fails during phase 2. We did some debugging via ikeview and everything looked ok. After looking at vpnd.elg (vpn debug on) I noticed I could see where the remote internal IP would be checked against the contents of the remote firewalls encryption domain. BTW there is src and dst nats on the local checkpoint gateway as well.

This is what I see in the debugs. Not word for word just high level.

Searching for remote internal IP (pre nat IP address)

comparing against external IP of remote VPN peer - no match

comparing against NAT IP (post nat IP) of remote internal host - no match

comparing against 224.0.0.0/24 - no match

Error traffic selectors unacceptable

Whats odd is its not searching all the hosts in the remote encryption domain. There are 9 IPs in the remote enc domain. For sure the internal remote host is in the encryption domain of the remote firewall (interop device) as well. Also I have no idea where the multicast subnet came from. Its not part of any of the configs.

We just switched everything to IKEv1 and things are coming up now. I see a few ikev2 updates after 166. We haven't opened a ticket yet just though I would ask here first. We're going to try switching it back to ikev2 just to be %100 where the issue is tomorrow.

Oh remote gateway is a ASA so my sympathy goes out to them. That being said sure feels like a bug on the checkpoint side.