This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
John_Fleming
Advisor
‎2020-08-11 07:00 PM

IKEv2 issues with R80.30 JHA 166 - traffic selectors unacceptable

Hi all, I'm having an issue with IKEv2 support. Tunnel management is set to tunnel per host. Access is basically /32 to /32. Tunnel fails during phase 2. We did some debugging via ikeview and everything looked ok. After looking at vpnd.elg (vpn debug on) I noticed I could see where the remote internal IP would be checked against the contents of the remote firewalls encryption domain. BTW there is src and dst nats on the local checkpoint gateway as well.

This is what I see in the debugs. Not word for word just high level.

Searching for remote internal IP (pre nat IP address)

comparing against external IP of remote VPN peer - no match

comparing against NAT IP (post nat IP) of remote internal host - no match

comparing against 224.0.0.0/24 - no match

Error traffic selectors unacceptable

 

Whats odd is its not searching all the hosts in the remote encryption domain. There are 9 IPs in the remote enc domain. For sure the internal remote host is in the encryption domain of the remote firewall (interop device) as well. Also I have no idea where the multicast subnet came from. Its not part of any of the configs.

We just switched everything to IKEv1 and things are coming up now. I see a few ikev2 updates after 166. We haven't opened a ticket yet just though I would ask here first. We're going to try switching it back to ikev2 just to be %100 where the issue is tomorrow.

Oh remote gateway is a ASA so my sympathy goes out to them. That being said sure feels like a bug on the checkpoint side.

6 Replies
Tobias_Moritz
Advisor
‎2020-08-12 06:07 AM

Just a wild guess here...

Do you use host objects or network objects (/32) in the remote encryption domain object? If you are using host objects, can you try again with network objects?

John_Fleming
Advisor
‎2020-08-12 12:42 PM
In response to Tobias_Moritz

/32 network objects?? Heresy I say!

kidding aside... we just flipped everything back to ikev2 and it came up. I can now see the search rolling through on the contents of the remove encryption domain.

I really wish this wouldn't have worked. I think we're going to stick to ikev2 and see what happens. 

0 Kudos
prodigy477
Explorer
‎2021-08-04 07:49 AM
In response to John_Fleming

Hello, so what was your fix and how did you go about this? Running into the same issue

kennyt
Explorer
‎2023-01-03 09:31 PM
In response to John_Fleming

Hi John, 

 

Ran into same issue, what was your fix on this? 

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-01-04 12:12 AM
In response to kennyt

Which version of Gateway and ASA were involved?

CCSM R77/R80/ELITE
0 Kudos
kennyt
Explorer
‎2023-01-18 07:45 PM
In response to Chris_Atkinson

CP v81.10 and a third party GSM router, not an ASA

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events