Hello All,
I have two CP gateways: one cloud-managed (vR82.10) and another on-premises-managed (vR80.40). The cloud-managed firewall is also configured as a cluster (two 3950s) with ISP redundancy, but at the moment I am configuring the VPN with only one provider. I configured a basic site-to-site VPN, but it’s not working:
the same error in the Debug:
<Exchange serial="2775920" Peer="IP of my FW" Dir="Inbound" Type="Initial">
<peerIP>IP of my FW</peerIP>
<Message Valid="Yes" Initiator="Yes" Response="No" higherVer="No">
<arrivalTime>2026-01-11T20:39:10</arrivalTime>
<MsgID>0</MsgID>
<initSPI>d96446baa5702e5c</initSPI>
<respSPI>0000000000000000</respSPI>
<Next>SecurityAssociation</Next>
<Version>2.0</Version>
<Type>Initial</Type>
<Length>420</Length>
<Payloads>
<Payload Type="SecurityAssociation" Next="KeyExchange" Length="48" Critical="No">
<prop ID="1">
<encr>AES-256</encr>
<prf>PRF-SHA256</prf>
<integ>HMAC-SHA2-256</integ>
<Key-Exchange>Group 20 (384-bit random ECP group)</Key-Exchange>
</prop>
</Payload>
<Payload Type="KeyExchange" Next="Nonce" Length="264" Critical="No">
<Method>14</Method>
<Key>**********</Key>
</Payload>
<Payload Type="Nonce" Next="Notify" Length="24" Critical="No">
<ndata>**********</ndata>
</Payload>
<Payload Type="Notify" Next="Notify" Length="28" Critical="No">
<Protocol>0</Protocol>
<Type>NAT detection source IP</Type>
<spisize>0</spisize>
<ndata>**********</ndata>
</Payload>
<Payload Type="Notify" Next="None" Length="28" Critical="No">
<Protocol>0</Protocol>
<Type>NAT detection destination IP</Type>
<spisize>0</spisize>
<ndata>**********</ndata>
</Payload>
</Payloads>
</Message>
<Message Valid="Yes" Initiator="No" Response="Yes" higherVer="No">
<arrivalTime>2026-01-11T20:39:10</arrivalTime>
<MsgID>0</MsgID>
<initSPI>d96446baa5702e5c</initSPI>
<respSPI>0000000000000000</respSPI>
<Next>Notify</Next>
<Version>2.0</Version>
<Type>Initial</Type>
<Length>38</Length>
<Payloads>
<Payload Type="Notify" Next="None" Length="10" Critical="No">
<Protocol>0</Protocol>
<Type>Invalid Key Exchange payload</Type>
<spisize>0</spisize>
<ndata>00 0e</ndata>
</Payload>
</Payloads>
</Message>
<final_state>message sent</final_state>
<peerdesc>IP of my FW</peerdesc>
<final_status>failure (final)</final_status>
</Exchange>
The Debug on my FW is a bit different - In the logs, the firewall hostname is shown instead of its IP address:
<Exchange serial="14064076" Peer="HOSTNAME of the 3950" Dir="Outbound" Type="Initial">
<peerIP>Cluster 3950 IP</peerIP>
<Message Valid="Yes" Initiator="Yes" Response="No" higherVer="No">
<arrivalTime>2026-01-11T20:39:11</arrivalTime>
<MsgID>0</MsgID>
<initSPI>d96446baa5702e5c</initSPI>
<respSPI>0000000000000000</respSPI>
<Next>SecurityAssociation</Next>
<Version>2.0</Version>
<Type>Initial</Type>
<Length>420</Length>
<Payloads>
<Payload Type="SecurityAssociation" Next="KeyExchange" Length="48" Critical="No">
<prop ID="1">
<SPI>d96446baa5702e5c</SPI>
<encr>AES-256</encr>
<prf>PRF-SHA256</prf>
<integ>HMAC-SHA2-256</integ>
<dh>Group 20 (384-bit random ECP group)</dh>
</prop>
</Payload>
<Payload Type="KeyExchange" Next="Nonce" Length="264" Critical="No">
<Group>14</Group>
<Key>*************</Key>
</Payload>
<Payload Type="Nonce" Next="Notify" Length="24" Critical="No">
<ndata>*************</ndata>
</Payload>
<Payload Type="Notify" Next="Notify" Length="28" Critical="No">
<Protocol>0</Protocol>
<Type>NAT detection source IP</Type>
<spisize>0</spisize>
<ndata>*************</ndata>
</Payload>
<Payload Type="Notify" Next="None" Length="28" Critical="No">
<Protocol>0</Protocol>
<Type>NAT detection destination IP</Type>
<spisize>0</spisize>
<ndata>*************</ndata>
</Payload>
</Payloads>
</Message>
<Message Valid="Yes" Initiator="No" Response="Yes" higherVer="No">
<arrivalTime>2026-01-11T20:39:11</arrivalTime>
<MsgID>0</MsgID>
<initSPI>d96446baa5702e5c</initSPI>
<respSPI>0000000000000000</respSPI>
<Next>Notify</Next>
<Version>2.0</Version>
<Type>Initial</Type>
<Length>38</Length>
<Payloads>
<Payload Type="Notify" Next="None" Length="10" Critical="No">
<Protocol>0</Protocol>
<Type>Invalid Key Exchange payload</Type>
<spisize>0</spisize>
<ndata>00 0e</ndata>
</Payload>
</Payloads>
</Message>
<final_state>received message</final_state>
<peerdesc>HOSTNAME of the 3950</peerdesc>
<final_status>failure (final)</final_status>
</Exchange>
I already tried configuring the VPN with group 14 and without PFS — nothing helped. The Settings of the VPN. With the same settings we have already anothe VPN to CP 1900 (This will be replaced with the 3950)
I would appreciate any help 🙏
