This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
MVP Gold
MVP Gold
‎2021-12-10 06:53 PM
Jump to solution

VPN is failing on Phase-1 MM packet1

Hi Team,

I am trying to bring up this tunnel however when I debug on CP with ike and vpnd it shows this is failing on MM-Packet 1 and here are the logs for VPNd.elg. Third party IP is 143.244.xxx,xxx

 

[vpnd 30737 4081387456]@xxxxx[10 Dec 16:51:24][tunnel] Transmitter::Transmit: 152 bytes sent to 143.244.xxx.xxx port: 500 over UDP (IPv4).
[vpnd 30737 4081387456]@xxxxx[10 Dec 16:51:28][tunnel] Transmitter::TransmitRequest: Transmitting for: 0xb8f1978 over UDP (IPv4) (10). Next in 4000ms
[vpnd 30737 4081387456]@xxxxx[10 Dec 16:51:28][tunnel] UDPConnection::Send: Sent 148 bytes on connection 0xa5ab5e0
[vpnd 30737 4081387456]@xxxxx[10 Dec 16:51:28][tunnel] Transmitter::EndRequest: Done transmission for: 0xbac5188
[vpnd 30737 4081387456]@xxxxx[10 Dec 16:51:28][tunnel] Transmitter::EndRequest: Calling transmission handler, done for 0xbac5188
[vpnd 30737 4081387456]@xxxxx[10 Dec 16:51:28][tunnel] TransmissionDone: called (back) for: 0xbac5188
[vpnd 30737 4081387456]@xxxxx[10 Dec 16:51:28][tunnel] fwIsakmp_Timeout: TIMEOUT ABORT: phase1state: bacf608 phase2state 0
[vpnd 30737 4081387456]@xxxxx[10 Dec 16:51:28][tunnel] ReplyBy: entering for 0xbac5188
[vpnd 30737 4081387456]@xxxxx[10 Dec 16:51:28][tunnel] fillUserPeerByNegotiationCxt: entering: 0 0 0 0
[vpnd 30737 4081387456]@xxxxx[10 Dec 16:51:28][tunnel] fillUserPeerByNegotiationCxt: ERROR: phase2state is NULL, return
[vpnd 30737 4081387456]@xxxxx[10 Dec 16:51:28][tunnel] fwisakmp_new_sa_notify: notified.
[vpnd 30737 4081387456]@xxxxx[10 Dec 16:51:28][tunnel] fwisakmp_new_sa_notify: Got an error from isakmpd type 3 code 0
[vpnd 30737 4081387456]@xxxxx[10 Dec 16:51:28][tunnel] fwisakmp_got_error_from_isakmpd: kernel_instance: 1. Err type 3, err-code 0. Packetid: 2c9e680
[vpnd 30737 4081387456]@xxxxx[10 Dec 16:51:28] CFwdCommStreamLocal::Write called
[vpnd 30737 4081387456]@xxxxx[10 Dec 16:51:28] CFwdCommStreamLocal::Write sent 136 bytes

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
1 Solution

Accepted Solutions
Blason_R
MVP Gold
MVP Gold
‎2021-12-11 07:54 PM
In response to the_rock
Jump to solution

Thanks Team - Issue was resolved last night for me. It was due to mismatch in PSK.

Plus has to add NO NAT Rule on CP since the traffic was getting natted

And at other end I added peer as a responder since it was configured as a initiator as well.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

View solution in original post

5 Replies
Timothy_Hall
MVP Gold
MVP Gold
‎2021-12-11 06:00 AM
Jump to solution

If you are erroring out at packet 2 of IKEv1 Main Mode, there is a mismatch in the IKE Phase 1 settings between the two sides such as encryption algorithm, hashing algorithm, or DH group.  Packets 1-2 negotiate a common set of algorithms, packets 3-4 perform the DH key calculation (and determine if NAT-T is needed), and packets 5-6 perform the authentication usually with a pre-shared secret.

However it is not clear from your log whether the peer is actually responding at all (TIMEOUT ABORT), so you need to run a tcpdump looking for UDP/500 to conclusively determine if the peer is even responding with IKEv1 MM packet 2.  If not they probably don't have the correct setup or IP address for your firewall and are dropping your IKEv1 MM packet 1, or that traffic is being blocked by something else.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
MVP Platinum
MVP Platinum
‎2021-12-11 06:04 PM
Jump to solution

I see the point @Timothy_Hall is making. Honestly, if its failing on MM packet 1, that is 100% something basic missing. If you ran command like this on CP -> tcpdump -nni any host x.x.x.x (external peer IP) and port 50...do you see anything? What is the other side?

Best,
Andy
0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2021-12-11 07:54 PM
In response to the_rock
Jump to solution

Thanks Team - Issue was resolved last night for me. It was due to mismatch in PSK.

Plus has to add NO NAT Rule on CP since the traffic was getting natted

And at other end I added peer as a responder since it was configured as a initiator as well.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
the_rock
MVP Platinum
MVP Platinum
‎2021-12-11 08:12 PM
In response to Blason_R
Jump to solution

Good job! Its still bit odd to me that PSK was the issue, since that would always be packet 5 or 6 on MM.

Best,
Andy
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-12-12 07:10 AM
In response to the_rock
Jump to solution

Yes normally an incorrect PSK will cause a failure at MM packets 5/6, but if the overall authentication type (PSK vs. Certificate) is set incorrectly that will cause a failure at MM packets 1/2 since they have to agree on the authentication type then, but the actual authentication itself is not performed until MM packets 5/6. 

That Phase 1 order of operations never made sense to me in the IKEv1 spec, as in let's do some complex negotiations with a peer, perform a computationally expensive DH key calculation, and THEN actually authenticate who we are talking to in the final part of Phase 1?  Really?

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events