ipsec tunnel comme not up

ipsec tunnel comme not up

Router HP comware router

Config remote site :
----------------------------
IKE phase1
  encryption des
  authen MD5
  diffie-hellman group Group2 1024bit
  renegotiatie every 480 minutes
  testpassword
IPSEC phase
  encryption des
  authen MD5
  EPF diffie hellman groep sup         not selected
  renegotiatie 3600 sec
  LAN 172.x.x.0 /24
  WAN 203.x.x.x

Config my side :
-----------------------
acl number 3001
 rule permit ip source 192.168.x.0 0.0.0.255 destination 172.x.x.x 0.0.0.255
 quit
ike local-name vpntun01
ike proposal 1
 encryption-algorithm des-cbc
 authentication-algorithm md5
 dh group2
 sa duration 28800
 quit
ike peer vpntun01
 exchange-mode aggressive
 pre-shared-key simple testpassword
 proposal 1
 local-address 192.168.x.x
 remote-address 172.x.x.x
 quit
ipsec transform-set 1
 transform esp
 esp encryption-algorithm des
 esp authentication-algorithm md5
 quit
ipsec profile vpntun01
 ike-peer vpntun01
 transform-set 1
 sa duration time-based 3600
 quit
interface tunnel 1
 ip address 1.1.1.1 24
 tunnel-protocol ipsec ipv4
 source gigabitethernet 0/1
 destination 203.x.x.x
 ipsec profile vpntun01
 quit
ip route-static 172.x.x.x 255.255.255.0 tunnel 1

Log file :
*Nov 28 20:34:19:477 2016 Router1 IPSEC/7/DBG: IPsec_SA:ipsec acquire sa, use ike peer name: "vpntun01".
*Nov 28 20:34:19:477 2016 Router1 TUNNEL/7/debug:
Tunnel1 can't come up because:
*Nov 28 20:34:19:478 2016 Router1 TUNNEL/7/debug:
Failed to check the submodule
*Nov 28 20:34:19:490 2016 Router1 IKE/7/DEBUG: IKE receive acquire SA request, IKE peer name:vpntun01.
*Nov 28 20:34:19:490 2016 Router1 IKE/7/DEBUG: Connection name is 202.x.x.x,203.x.x.x,500,,0,1,1
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: Check connection: SA for 202.x.x.x,203.x.x.x,500,,0,1,1 missing
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange lookup :name = 202.x.x.x,203.x.x.x,500,,0,1,1 phase = 2
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange lookup :name = 202.x.x.x,203.x.x.x,500,,0,0,0 phase = 1
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange setup(I): a4c3250
*Nov 28 20:34:19:641 2016 Router1 IKE/7/DEBUG: create udp resource:name = 202.x.x.x,203.x.x.x,500,,0,0,0.
*Nov 28 20:34:19:691 2016 Router1 IKE/7/DEBUG: add payload to message: SA
*Nov 28 20:34:19:791 2016 Router1 IKE/7/DEBUG:   DOI: 1
*Nov 28 20:34:19:892 2016 Router1 IKE/7/DEBUG: add payload to message: PROPOSAL
*Nov 28 20:34:19:992 2016 Router1 IKE/7/DEBUG:   NO: 1
*Nov 28 20:34:20:142 2016 Router1 IKE/7/DEBUG:   PROTO: ISAKMP
*Nov 28 20:34:20:242 2016 Router1 IKE/7/DEBUG:   SPI_SZ: 0
*Nov 28 20:34:20:392 2016 Router1 IKE/7/DEBUG:   NTRANSFORMS: 1
*Nov 28 20:34:20:443 2016 Router1 IKE/7/DEBUG: add payload to message: TRANSFORM
*Nov 28 20:34:20:593 2016 Router1 IKE/7/DEBUG:   NO: 0
*Nov 28 20:34:20:643 2016 Router1 IKE/7/DEBUG:   ID: 1
*Nov 28 20:34:20:693 2016 Router1 IKE/7/DEBUG:   Transform 0's attributes
*Nov 28 20:34:20:793 2016 Router1 IKE/7/DEBUG:   Attribute ENCRYPTION_ALGORITHM : DES_CBC
*Nov 28 20:34:20:843 2016 Router1 IKE/7/DEBUG:   Attribute HASH_ALGORITHM : MD5
*Nov 28 20:34:20:894 2016 Router1 IKE/7/DEBUG:   Attribute AUTHENTICATION_METHOD : PRE_SHARED
*Nov 28 20:34:20:994 2016 Router1 IKE/7/DEBUG:   Attribute GROUP_DESCRIPTION : MODP_1024
*Nov 28 20:34:21:044 2016 Router1 IKE/7/DEBUG:   Attribute LIFE_TYPE : SECONDS
*Nov 28 20:34:21:144 2016 Router1 IKE/7/DEBUG:   Attribute LIFE_DURATION : 28800
*Nov 28 20:34:21:194 2016 Router1 IKE/7/DEBUG: P1 initiator send SA message.
*Nov 28 20:34:21:245 2016 Router1 IKE/7/DEBUG: add payload to message: KEY_EXCH
*Nov 28 20:34:21:345 2016 Router1 IKE/7/DEBUG:   Group ID: 2
*Nov 28 20:34:21:445 2016 Router1 IKE/7/DEBUG: add payload to message: NONCE
*Nov 28 20:34:21:495 2016 Router1 IKE/7/DEBUG: add payload to message: VENDOR
*Nov 28 20:34:21:595 2016 Router1 IKE/7/DEBUG:
IKE_DPD: send VID : afcad713 68a1f1c9 6b8696fc 77570100 (DPD)
*Nov 28 20:34:21:695 2016 Router1 IKE/7/DEBUG: add payload to message: ID
*Nov 28 20:34:21:796 2016 Router1 IKE/7/DEBUG:   TYPE: 1
*Nov 28 20:34:21:846 2016 Router1 IKE/7/DEBUG:   DOI_DATA: 0x000000
*Nov 28 20:34:21:946 2016 Router1 IKE/7/DEBUG: exchange check: checking for required SA
*Nov 28 20:34:22:046 2016 Router1 IKE/7/DEBUG: exchange check: checking for required KEY_EXCH
*Nov 28 20:34:22:096 2016 Router1 IKE/7/DEBUG: exchange check: checking for required NONCE
*Nov 28 20:34:22:197 2016 Router1 IKE/7/DEBUG: exchange check: checking for required ID
*Nov 28 20:34:22:247 2016 Router1 IKE/7/DEBUG: send message:
*Nov 28 20:34:22:397 2016 Router1 IKE/7/DEBUG:   ICOOKIE: 0x62c513d54755f1b6
*Nov 28 20:34:22:447 2016 Router1 IKE/7/DEBUG:   RCOOKIE: 0x0000000000000000
*Nov 28 20:34:22:497 2016 Router1 IKE/7/DEBUG:   NEXT_PAYLOAD: SA
*Nov 28 20:34:22:597 2016 Router1 IKE/7/DEBUG:   VERSION: 16
*Nov 28 20:34:22:699 2016 Router1 IKE/7/DEBUG:   EXCH_TYPE: AGGRESSIVE
*Nov 28 20:34:22:799 2016 Router1 IKE/7/DEBUG:   FLAGS: [ ]
*Nov 28 20:34:22:899 2016 Router1 IKE/7/DEBUG:   MESSAGE_ID: 0x00000000
*Nov 28 20:34:22:949 2016 Router1 IKE/7/DEBUG:   LENGTH: 268
*Nov 28 20:34:23:050 2016 Router1 IKE/7/DEBUG: exchange state machine(I): finished step 0, advancing...
*Nov 28 20:34:23:100 2016 Router1 IPSEC/7/DBG:
  Entering IPsec NAT bypass pross.
*Nov 28 20:34:23:200 2016 Router1 IPSEC/7/DBG:
 ipsec nat bypass is not enable.
*Nov 28 20:34:24:477 2016 Router1 IPSEC/7/DBG: IPsec_SA:
 IPsec SA is negotiating.
*Nov 28 20:34:24:477 2016 Router1 TUNNEL/7/debug:
Tunnel1 can't come up because:
*Nov 28 20:34:24:477 2016 Router1 TUNNEL/7/debug:
Failed to check the submodule
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG: send message:
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG:   ICOOKIE: 0x62c513d54755f1b6
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG:   RCOOKIE: 0x0000000000000000
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG:   NEXT_PAYLOAD: SA
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG:   VERSION: 16
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG:   EXCH_TYPE: AGGRESSIVE
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG:   FLAGS: [ ]
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG:   MESSAGE_ID: 0x00000000
*Nov 28 20:34:28:550 2016 Router1 IKE/7/DEBUG:   LENGTH: 268
*Nov 28 20:34:28:650 2016 Router1 IPSEC/7/DBG:
  Entering IPsec NAT bypass pross.
LVL 2
manuverhaegenSystem & Storage AdminAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
JohnConnect With a Mentor Business Consultant (Owner)Commented:
That is a mis-match. Can you make them the same?
0
 
JohnBusiness Consultant (Owner)Commented:
This is site-to-site, correct?  Change aggressive mode to Main Mode and turn on NAT Traversal. See if one or both changes help.
0
 
manuverhaegenSystem & Storage AdminAuthor Commented:
I have change aggressive mode to Main Mode and turn on NAT Traversal

Tunnel comme not up

Logfile remote Site
Mon Nov 28 21:45:23 2016 (GMT +0100): [FVS336GV3] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1.
Mon Nov 28 21:45:23 2016 (GMT +0100): [FVS336GV3] [IKE] ERROR:  Invalid SA protocol type: 0
Mon Nov 28 21:44:52 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Configuration found for 202.x.x.x.
Mon Nov 28 21:44:52 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  accept a request to establish IKE-SA: 202.x.x.x
Mon Nov 28 21:44:48 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Configuration found for 202.x.x.x.
Mon Nov 28 21:44:48 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  accept a request to establish IKE-SA: 202.x.x.x
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 9
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 8
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 4
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:   [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Beginning Identity Protection mode.
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Initiating new phase 1 negotiation: 203.x.x.x[500]<=>202.x.x.x[500]
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Configuration found for 202.x.x.x.
Mon Nov 28 20:44:40 2016 (GMT +0000): [FVS336GV3] [IKE] INFO:  accept a request to establish IKE-SA: 202.x.x.x
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
JohnBusiness Consultant (Owner)Commented:
Phase 2 negotiation failed due to time up waiting for phase1.

 encryption-algorithm des-cbc
 authentication-algorithm md5
 dh group2

This does not precisely match the other end (but I am not completely familiar with command line Cisco).

What is des-cbc on your end compared to des on remote end?

EPF diffie hellman groep sup         not selected   <-- Is PFS disabled?  I keep it disabled and then DH Group 2 is not part of phase 2.
0
 
manuverhaegenSystem & Storage AdminAuthor Commented:
yes, there is a difference in des-cbc and des
0
 
manuverhaegenSystem & Storage AdminAuthor Commented:
The options on both firewall's are different.
For Ckeckpoint
IKE: 3DES, AES-128, AES256, DES, CAST
IPSEC: 3DES, AES-128, AES-256, DES, CAST, DES-40CP, CAST-40

For cisco
IKE: 3des-cbc, aes-cbc, des-cbc
IPSEc : 3des, aes-cbc-128,aes-cbc-192,aes-cbc-256,
aes-ctr-128,aes-ctr-192,aes-ctr-256,des
0
 
JohnBusiness Consultant (Owner)Commented:
The phases must match and when they do not (as your logs say) then you cannot connect. You may need to replace the Checkpoint VPN with a Cisco VPN box.
0
 
manuverhaegenSystem & Storage AdminAuthor Commented:
This is not at solution for me, we have more then 150 customers with different Firewall's. We can not ask to custommers to buy cisco.
0
 
JohnBusiness Consultant (Owner)Commented:
You need then to call Checkpoint Support, lodge a case and see if they can match the Cisco VPN settings.
0
 
JohnBusiness Consultant (Owner)Commented:
Thanks. If you call Checkpoint and need more help, post again and we can assist.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.