This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nastiakhon
Contributor
‎2021-07-15 11:45 PM

Phase 2 Site-to-site VPN error

Hello
I have a Site-to-site VPN configured between checkpoint and cisco ASA.
When I check through SmartView Monitor, I see that my tunnel is up.

But when I start communication, the first phase goes well, but on the second phase I receive a message

Child SA exchange: Received notification from peer: No proposal chosen MyMethods Phase2: AES-256 + HMAC-SHA2-256, No IPComp, No ESN, Group 14

Please tell me what this means.
Because on my part exactly the same parameters are set.

 

Screenshot_1.jpg

Thank you!

0 Kudos
2 Replies
Tobias_Moritz
Advisor
‎2021-07-16 02:25 AM

The Log message and the screenshot you posted here both shows us the configuration on Check Point side.

You have to compare it with the configuration on Cisco side.

Either ask the Cisco admin on the other side what is configured there or better check it yourself by checking the debug logs.

If you can force the Cisco side to initiate the connection, the debug logs on Check Point side will show you what the ASA is trying to do:

  1. Start debug on Expert Shell: # vpn debug trunc
  2. Let's the Cisco side initiate the tunnel (verify in Check Point Log that they really did try it).
  3. Stop debug on Expert Shell: # vpn debug off; vpn debug ikeoff
  4. Look at $FWDIR/log/ikev2.xmll with IKEView

 

RamGuy239
Advisor
Advisor
‎2021-07-16 03:22 AM

Like @Tobias_Moritz has already mentioned. This points to the proposal on phase 2 to not be equal on the Check Point side as on the CISCO side.

We know from the logs that Check Point is proposing:
AES-256 + HMAC-SHA2-256, PFS Group 14.

We don't know what the CISCO firewall on the other end has configured for phase 2. There seems to be a mismatch here.


By doing the debug that @Tobias_Moritz suggested you will most likely see whatever the CISCO is trying to use for its phase 2 negotiating and you will most likely see that something is off and you will have to correct it so both sides are on terms when it comes to whatever settings are being used for phase 2.

If you are communicating with whoever is controlling the CISCO firewall you could always ask them for details on what they have configured for phase 2 / IP-sec encryption. Might it be that they are not using PFS? Might they be using different algorithms?

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events