Hello
We are building a route based site-to-site VPN between our Checkpoint cluster (Check Point Gaia R81.10 - 15600) and AWS (tenant belonging to our partner).
Both phases are up but there is no traffic between VTI addresses (ping is not working but encrypted on Checkpoint side)
We've got errors like in the console : :
Child SA exchange: Peer's message is unacceptable
and fw ctl zdebug drop shows :
@;294556582;[cpu_6];[fw4_19];fw_log_drop_ex: Packet proto=6 169.254.131.30:35776 -> 169.254.131.29:179 dropped by fw_ipsec_encrypt_on_tunnel_instance Reason: No error - tunnel is not yet established;
@;294556582;[cpu_12];[fw4_7];fw_log_drop_ex: Packet proto=6 169.254.151.30:41589 -> 169.254.151.29:179 dropped by fw_ipsec_encrypt_on_tunnel_instance Reason: No error - tunnel is not yet established;
We also noticed these logs :
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv4: Traffic selector has been narrowed. Here's what's left (4 addresses)
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] --- 185.XXX.YYY.0 - 185.XXX.YYY.3
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv6: calculate all ranges
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv6: proto: 0, port range: All Ports
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv6: calculate ranges for ts 0
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv6: proto: 0, port range: All Ports
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv6: trying to match peer range 0: 185.XXX.YYY.0 - 185.XXX.YYY.3 against 0 policy ranges
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv6: Could not match traffic selector 1 (<185.XXX.YYY.0 - 185.XXX.YYY.3>)
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify_ipv6: Could not match any selectors
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::Verify: returns true
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::getContainingTS: looking for a ts that contains <169.254.131.30 ; TCP ; 179>
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv4: checking range: 185.XXX.YYY.0 - 185.XXX.YYY.6
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv4: added range: 185.XXX.YYY.0 - 185.XXX.YYY.3
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv4: checking range:185.XXX.YYY.0 - 185.XXX.YYY.3
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] constructRelevantIPRanges_ipv4: added range: 185.XXX.YYY.0 - 185.XXX.YYY.3
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::getContainingTS: Try specific protocol/port (6/179) num_range: 1. addresses in ranges: 4 (4)
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] TSPayload::getContainingTS: Returning empty TS. Proto: 6
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] ikeChildSAExchange_i::validateTSiPayload: empty traffic selector.
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] Exchange::processPayloads: problem processing payload no. 4 of type TS-i payload
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] Exchange::processPayloads: processPayloads returning initial status
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] Exchange::setStatus: Changing status from: initial to: failure (final)..
[vpnd 18908 4071475200]@FW-CPPT-3080[3 Oct 14:36:35][ikev2] Exchange::setLog: Setting log message:
Peer's message is unacceptable..
Do you have any idea?
Could it be a mismatch between route based and policy based ?
Thank you
Thomas
