Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
StackCap43382
Contributor

Ikev2 - Multiple Diffie-Hellman Groups per proposal - VPND not always matching correct group.

Hi All,

Very strange issue with an IKEv2 S2S VPN that I've not seen before.

The peer VPN device is configured to send multiple DH groups per proposal.
For each new initial received from the peer The CKP is rotating through matching the DH group and not.

When it does not match, it seems to match the last of the groups configured in the proposal:

[ikev2] My proposal list: - 1 proposal(s)
[ikev2] Proposal 1 of 1
...
[ikev2] Diffie-Hellman Groups: Group 14
...
[ikev2] dbCommunityHandle::getPrefIkeGrpMethod: dh group: 14.
[ikev2] Peer proposal list: - 4 proposal(s)
[ikev2] Proposal 1 of 4
...
[ikev2] Diffie-Hellman Groups: Group 20 (384-bit random ECP group),Group 19 (256-bit random ECP group),Group 16,Group 14,Group 5,Group 2
...
[ikev2] The common proposal:
...
[ikev2] Diffie-Hellman Groups: Group 14
...
[ikev2] SAIkeValidator::isValidSA: group in KE payload (2) differs than the one we agree on (14)
[ikev2] Exchange::setLog: Setting log message: Sending notification to peer: Invalid Key Exchange payload..

The behavior is much like the known proposal limit issue:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

I'm going to raise with TAC but a quick search does not show any obvious mention of compatibility issues with proposals containing multiple DHs.

1 Reply

I recall a similar issue with Azure in the past.

Which version/JHF is used and what is the peer device? 

 

0 Kudos