Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
StackCap43382
Collaborator
Collaborator

Ikev2 - Multiple Diffie-Hellman Groups per proposal - VPND not always matching correct group.

Hi All,

Very strange issue with an IKEv2 S2S VPN that I've not seen before.

The peer VPN device is configured to send multiple DH groups per proposal.
For each new initial received from the peer The CKP is rotating through matching the DH group and not.

When it does not match, it seems to match the last of the groups configured in the proposal:

[ikev2] My proposal list: - 1 proposal(s)
[ikev2] Proposal 1 of 1
...
[ikev2] Diffie-Hellman Groups: Group 14
...
[ikev2] dbCommunityHandle::getPrefIkeGrpMethod: dh group: 14.
[ikev2] Peer proposal list: - 4 proposal(s)
[ikev2] Proposal 1 of 4
...
[ikev2] Diffie-Hellman Groups: Group 20 (384-bit random ECP group),Group 19 (256-bit random ECP group),Group 16,Group 14,Group 5,Group 2
...
[ikev2] The common proposal:
...
[ikev2] Diffie-Hellman Groups: Group 14
...
[ikev2] SAIkeValidator::isValidSA: group in KE payload (2) differs than the one we agree on (14)
[ikev2] Exchange::setLog: Setting log message: Sending notification to peer: Invalid Key Exchange payload..

The behavior is much like the known proposal limit issue:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I'm going to raise with TAC but a quick search does not show any obvious mention of compatibility issues with proposals containing multiple DHs.

CCSME, CCTE, CCME, CCVS
6 Replies
Chris_Atkinson
Employee Employee
Employee

I recall a similar issue with Azure in the past.

Which version/JHF is used and what is the peer device? 

 

CCSM R77/R80/ELITE
0 Kudos
maad-pul
Contributor

Hi!

What did you received for information from TAC? 
I have some simlar errors after upgrading from 81.10 to 81.20 TAKE41.

 

SAIkeValidator::isValidSA: group in KE payload (21) differs than the one we agree on (20)

 

Regards

Mattias

0 Kudos
StackCap43382
Collaborator
Collaborator

Look in the key exchange packet, you'll see there is a Diffie-Group specified.

The Diffie in the KE needs to be the same as defined in the VPN community encryption settings.

In check point they need to match.

SAIkeValidator::isValidSA: group in KE payload (21) differs than the one we agree on (20) = the Key Exchange configuration does not match the Community Encryption. 

 

CCSME, CCTE, CCME, CCVS
0 Kudos
maad-pul
Contributor

The strange thing is that reviived a lot om alorith and DH-GROUPS in 1 Proposal. I don´t to if the "limit issue" you are refering to is related to maximum values within 1 propsal as well or if the limit is just related to 16 proposal.

[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Peer proposal list: - 1 proposal(s)
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Proposal 1 of 1
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Encryption Algorithm: AES-256,AES-192,AES-128
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Pseudo Random Function: PRF-SHA512,PRF-SHA384,PRF-SHA256,PRF-SHA1
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Integrity Algorithm: HMAC-SHA2-512,HMAC-SHA2-384,HMAC-SHA2-256,HMAC-SHA1
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Diffie-Hellman Groups: Group 24 (2048-bit group with 256-bit subgroup),Group 21 (521-bit random ECP group),Group 20 (384-bit random ECP group),Group 19 (256-bit random ECP group),Group 16,Group 15,Group 14,Group 5,Group 2
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] The common proposal:
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Encryption Algorithm: AES-256
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Pseudo Random Function: PRF-SHA512
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Integrity Algorithm: HMAC-SHA2-512
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Diffie-Hellman Groups: Group 20 (384-bit random ECP group)
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] SAIkeValidator::isValidSA: group in KE payload (21) differs than the one we agree on (20)
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Exchange::addNotification: entering..
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] ikeSimpOrder::isSharedSecretAuth: entering (order 27579, ref count 1).
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] dbCommunityHandle::usingPresharedSecret: entering
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] ikeInitialExchange_r::getMethods: No ike sa.
[iked1 16790 4067246528]@GATEWAY[12 Feb 14:32:33][ikev2] Exchange::setLog: Setting log message:
Sending notification to peer: Invalid Key Exchange payload..

 

Regards

Mattias

0 Kudos
StackCap43382
Collaborator
Collaborator

Its not the proposal its the Key-exchange.

Look in the KE.

CCSME, CCTE, CCME, CCVS
0 Kudos
BernhardN
Explorer

Looks like sk180444.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events