This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
StackCap43382
Collaborator
Collaborator
‎2022-10-03 04:20 AM

Ikev2 - Multiple Diffie-Hellman Groups per proposal - VPND not always matching correct group.

Hi All,

Very strange issue with an IKEv2 S2S VPN that I've not seen before.

The peer VPN device is configured to send multiple DH groups per proposal.
For each new initial received from the peer The CKP is rotating through matching the DH group and not.

When it does not match, it seems to match the last of the groups configured in the proposal:

[ikev2] My proposal list: - 1 proposal(s)
[ikev2] Proposal 1 of 1
...
[ikev2] Diffie-Hellman Groups: Group 14
...
[ikev2] dbCommunityHandle::getPrefIkeGrpMethod: dh group: 14.
[ikev2] Peer proposal list: - 4 proposal(s)
[ikev2] Proposal 1 of 4
...
[ikev2] Diffie-Hellman Groups: Group 20 (384-bit random ECP group),Group 19 (256-bit random ECP group),Group 16,Group 14,Group 5,Group 2
...
[ikev2] The common proposal:
...
[ikev2] Diffie-Hellman Groups: Group 14
...
[ikev2] SAIkeValidator::isValidSA: group in KE payload (2) differs than the one we agree on (14)
[ikev2] Exchange::setLog: Setting log message: Sending notification to peer: Invalid Key Exchange payload..

The behavior is much like the known proposal limit issue:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I'm going to raise with TAC but a quick search does not show any obvious mention of compatibility issues with proposals containing multiple DHs.

CCSME, CCTE, CCME, CCVS
6 Replies
Chris_Atkinson
Employee Employee
Employee
‎2022-10-03 04:36 AM

I recall a similar issue with Azure in the past.

Which version/JHF is used and what is the peer device? 

 

CCSM R77/R80/ELITE
0 Kudos
maad-pul
Contributor
‎2024-02-12 12:17 PM

Hi!

What did you received for information from TAC? 
I have some simlar errors after upgrading from 81.10 to 81.20 TAKE41.

 

SAIkeValidator::isValidSA: group in KE payload (21) differs than the one we agree on (20)

 

Regards

Mattias

0 Kudos
StackCap43382
Collaborator
Collaborator
‎2024-02-12 12:42 PM
In response to maad-pul

Look in the key exchange packet, you'll see there is a Diffie-Group specified.

The Diffie in the KE needs to be the same as defined in the VPN community encryption settings.

In check point they need to match.

SAIkeValidator::isValidSA: group in KE payload (21) differs than the one we agree on (20) = the Key Exchange configuration does not match the Community Encryption. 

 

CCSME, CCTE, CCME, CCVS
0 Kudos
maad-pul
Contributor
‎2024-02-12 01:05 PM
In response to StackCap43382

The strange thing is that reviived a lot om alorith and DH-GROUPS in 1 Proposal. I don´t to if the "limit issue" you are refering to is related to maximum values within 1 propsal as well or if the limit is just related to 16 proposal.

[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Peer proposal list: - 1 proposal(s)
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Proposal 1 of 1
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Encryption Algorithm: AES-256,AES-192,AES-128
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Pseudo Random Function: PRF-SHA512,PRF-SHA384,PRF-SHA256,PRF-SHA1
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Integrity Algorithm: HMAC-SHA2-512,HMAC-SHA2-384,HMAC-SHA2-256,HMAC-SHA1
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Diffie-Hellman Groups: Group 24 (2048-bit group with 256-bit subgroup),Group 21 (521-bit random ECP group),Group 20 (384-bit random ECP group),Group 19 (256-bit random ECP group),Group 16,Group 15,Group 14,Group 5,Group 2
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] The common proposal:
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Encryption Algorithm: AES-256
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Pseudo Random Function: PRF-SHA512
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Integrity Algorithm: HMAC-SHA2-512
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Diffie-Hellman Groups: Group 20 (384-bit random ECP group)
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] SAIkeValidator::isValidSA: group in KE payload (21) differs than the one we agree on (20)
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Exchange::addNotification: entering..
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] ikeSimpOrder::isSharedSecretAuth: entering (order 27579, ref count 1).
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] dbCommunityHandle::usingPresharedSecret: entering
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] ikeInitialExchange_r::getMethods: No ike sa.
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Exchange::setLog: Setting log message:
Sending notification to peer: Invalid Key Exchange payload..

 

Regards

Mattias

0 Kudos
StackCap43382
Collaborator
Collaborator
‎2024-02-14 12:30 AM
In response to maad-pul

Its not the proposal its the Key-exchange.

Look in the KE.

CCSME, CCTE, CCME, CCVS
0 Kudos
BernhardN
Explorer
‎2024-05-23 03:14 AM

Looks like sk180444.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events