Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ipsec tunnel comme not up

Posted on 2016-11-28
10
Medium Priority
?
185 Views
Last Modified: 2016-11-29
ipsec tunnel comme not up

Router HP comware router

Config remote site :
----------------------------
IKE phase1
  encryption des
  authen MD5
  diffie-hellman group Group2 1024bit
  renegotiatie every 480 minutes
  testpassword
IPSEC phase
  encryption des
  authen MD5
  EPF diffie hellman groep sup         not selected
  renegotiatie 3600 sec
  LAN 172.x.x.0 /24
  WAN 203.x.x.x

Config my side :
-----------------------
acl number 3001
 rule permit ip source 192.168.x.0 0.0.0.255 destination 172.x.x.x 0.0.0.255
 quit
ike local-name vpntun01
ike proposal 1
 encryption-algorithm des-cbc
 authentication-algorithm md5
 dh group2
 sa duration 28800
 quit
ike peer vpntun01
 exchange-mode aggressive
 pre-shared-key simple testpassword
 proposal 1
 local-address 192.168.x.x
 remote-address 172.x.x.x
 quit
ipsec transform-set 1
 transform esp
 esp encryption-algorithm des
 esp authentication-algorithm md5
 quit
ipsec profile vpntun01
 ike-peer vpntun01
 transform-set 1
 sa duration time-based 3600
 quit
interface tunnel 1
 ip address 1.1.1.1 24
 tunnel-protocol ipsec ipv4
 source gigabitethernet 0/1
 destination 203.x.x.x
 ipsec profile vpntun01
 quit
ip route-static 172.x.x.x 255.255.255.0 tunnel 1

Log file :
*Nov 28 20:34:19:477 2016 Router1 IPSEC/7/DBG: IPsec_SA:ipsec acquire sa, use ike peer name: "vpntun01".
*Nov 28 20:34:19:477 2016 Router1 TUNNEL/7/debug:
Tunnel1 can't come up because:
*Nov 28 20:34:19:478 2016 Router1 TUNNEL/7/debug:
Failed to check the submodule
*Nov 28 20:34:19:490 2016 Router1 IKE/7/DEBUG: IKE receive acquire SA request, IKE peer name:vpntun01.
*Nov 28 20:34:19:490 2016 Router1 IKE/7/DEBUG: Connection name is 202.x.x.x,203.x.x.x,500,,0,1,1
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: Check connection: SA for 202.x.x.x,203.x.x.x,500,,0,1,1 missing
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange lookup :name = 202.x.x.x,203.x.x.x,500,,0,1,1 phase = 2
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange lookup :name = 202.x.x.x,203.x.x.x,500,,0,0,0 phase = 1
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange setup(I): a4c3250
*Nov 28 20:34:19:641 2016 Router1 IKE/7/DEBUG: create udp resource:name = 202.x.x.x,203.x.x.x,500,,0,0,0.
*Nov 28 20:34:19:691 2016 Router1 IKE/7/DEBUG: add payload to message: SA
*Nov 28 20:34:19:791 2016 Router1 IKE/7/DEBUG:   DOI: 1
*Nov 28 20:34:19:892 2016 Router1 IKE/7/DEBUG: add payload to message: PROPOSAL
*Nov 28 20:34:19:992 2016 Router1 IKE/7/DEBUG:   NO: 1
*Nov 28 20:34:20:142 2016 Router1 IKE/7/DEBUG:   PROTO: ISAKMP
*Nov 28 20:34:20:242 2016 Router1 IKE/7/DEBUG:   SPI_SZ: 0
*Nov 28 20:34:20:392 2016 Router1 IKE/7/DEBUG:   NTRANSFORMS: 1
*Nov 28 20:34:20:443 2016 Router1 IKE/7/DEBUG: add payload to message: TRANSFORM
*Nov 28 20:34:20:593 2016 Router1 IKE/7/DEBUG:   NO: 0
*Nov 28 20:34:20:643 2016 Router1 IKE/7/DEBUG:   ID: 1
*Nov 28 20:34:20:693 2016 Router1 IKE/7/DEBUG:   Transform 0's attributes
*Nov 28 20:34:20:793 2016 Router1 IKE/7/DEBUG:   Attribute ENCRYPTION_ALGORITHM : DES_CBC
*Nov 28 20:34:20:843 2016 Router1 IKE/7/DEBUG:   Attribute HASH_ALGORITHM : MD5
*Nov 28 20:34:20:894 2016 Router1 IKE/7/DEBUG:   Attribute AUTHENTICATION_METHOD : PRE_SHARED
*Nov 28 20:34:20:994 2016 Router1 IKE/7/DEBUG:   Attribute GROUP_DESCRIPTION : MODP_1024
*Nov 28 20:34:21:044 2016 Router1 IKE/7/DEBUG:   Attribute LIFE_TYPE : SECONDS
*Nov 28 20:34:21:144 2016 Router1 IKE/7/DEBUG:   Attribute LIFE_DURATION : 28800
*Nov 28 20:34:21:194 2016 Router1 IKE/7/DEBUG: P1 initiator send SA message.
*Nov 28 20:34:21:245 2016 Router1 IKE/7/DEBUG: add payload to message: KEY_EXCH
*Nov 28 20:34:21:345 2016 Router1 IKE/7/DEBUG:   Group ID: 2
*Nov 28 20:34:21:445 2016 Router1 IKE/7/DEBUG: add payload to message: NONCE
*Nov 28 20:34:21:495 2016 Router1 IKE/7/DEBUG: add payload to message: VENDOR
*Nov 28 20:34:21:595 2016 Router1 IKE/7/DEBUG:
IKE_DPD: send VID : afcad713 68a1f1c9 6b8696fc 77570100 (DPD)
*Nov 28 20:34:21:695 2016 Router1 IKE/7/DEBUG: add payload to message: ID
*Nov 28 20:34:21:796 2016 Router1 IKE/7/DEBUG:   TYPE: 1
*Nov 28 20:34:21:846 2016 Router1 IKE/7/DEBUG:   DOI_DATA: 0x000000
*Nov 28 20:34:21:946 2016 Router1 IKE/7/DEBUG: exchange check: checking for required SA
*Nov 28 20:34:22:046 2016 Router1 IKE/7/DEBUG: exchange check: checking for required KEY_EXCH
*Nov 28 20:34:22:096 2016 Router1 IKE/7/DEBUG: exchange check: checking for required NONCE
*Nov 28 20:34:22:197 2016 Router1 IKE/7/DEBUG: exchange check: checking for required ID
*Nov 28 20:34:22:247 2016 Router1 IKE/7/DEBUG: send message:
*Nov 28 20:34:22:397 2016 Router1 IKE/7/DEBUG:   ICOOKIE: 0x62c513d54755f1b6
*Nov 28 20:34:22:447 2016 Router1 IKE/7/DEBUG:   RCOOKIE: 0x0000000000000000
*Nov 28 20:34:22:497 2016 Router1 IKE/7/DEBUG:   NEXT_PAYLOAD: SA
*Nov 28 20:34:22:597 2016 Router1 IKE/7/DEBUG:   VERSION: 16
*Nov 28 20:34:22:699 2016 Router1 IKE/7/DEBUG:   EXCH_TYPE: AGGRESSIVE
*Nov 28 20:34:22:799 2016 Router1 IKE/7/DEBUG:   FLAGS: [ ]
*Nov 28 20:34:22:899 2016 Router1 IKE/7/DEBUG:   MESSAGE_ID: 0x00000000
*Nov 28 20:34:22:949 2016 Router1 IKE/7/DEBUG:   LENGTH: 268
*Nov 28 20:34:23:050 2016 Router1 IKE/7/DEBUG: exchange state machine(I): finished step 0, advancing...
*Nov 28 20:34:23:100 2016 Router1 IPSEC/7/DBG:
  Entering IPsec NAT bypass pross.
*Nov 28 20:34:23:200 2016 Router1 IPSEC/7/DBG:
 ipsec nat bypass is not enable.
*Nov 28 20:34:24:477 2016 Router1 IPSEC/7/DBG: IPsec_SA:
 IPsec SA is negotiating.
*Nov 28 20:34:24:477 2016 Router1 TUNNEL/7/debug:
Tunnel1 can't come up because:
*Nov 28 20:34:24:477 2016 Router1 TUNNEL/7/debug:
Failed to check the submodule
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG: send message:
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG:   ICOOKIE: 0x62c513d54755f1b6
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG:   RCOOKIE: 0x0000000000000000
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG:   NEXT_PAYLOAD: SA
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG:   VERSION: 16
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG:   EXCH_TYPE: AGGRESSIVE
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG:   FLAGS: [ ]
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG:   MESSAGE_ID: 0x00000000
*Nov 28 20:34:28:550 2016 Router1 IKE/7/DEBUG:   LENGTH: 268
*Nov 28 20:34:28:650 2016 Router1 IPSEC/7/DBG:
  Entering IPsec NAT bypass pross.
0
Comment
Question by:manuverhaegen
  • 6
  • 4
10 Comments
 
LVL 99

Expert Comment

by:John Hurst
ID: 41904746
This is site-to-site, correct?  Change aggressive mode to Main Mode and turn on NAT Traversal. See if one or both changes help.
0
 
LVL 2

Author Comment

by:manuverhaegen
ID: 41904787
I have change aggressive mode to Main Mode and turn on NAT Traversal

Tunnel comme not up

Logfile remote Site
Mon Nov 28 21:45:23 2016 (GMT +0100): [FVS336GV3] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1.
Mon Nov 28 21:45:23 2016 (GMT +0100): [FVS336GV3] [IKE] ERROR:  Invalid SA protocol type: 0
Mon Nov 28 21:44:52 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Configuration found for 202.x.x.x.
Mon Nov 28 21:44:52 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  accept a request to establish IKE-SA: 202.x.x.x
Mon Nov 28 21:44:48 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Configuration found for 202.x.x.x.
Mon Nov 28 21:44:48 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  accept a request to establish IKE-SA: 202.x.x.x
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 9
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 8
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 4
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:   [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Beginning Identity Protection mode.
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Initiating new phase 1 negotiation: 203.x.x.x[500]<=>202.x.x.x[500]
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Configuration found for 202.x.x.x.
Mon Nov 28 20:44:40 2016 (GMT +0000): [FVS336GV3] [IKE] INFO:  accept a request to establish IKE-SA: 202.x.x.x
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 41904794
Phase 2 negotiation failed due to time up waiting for phase1.

 encryption-algorithm des-cbc
 authentication-algorithm md5
 dh group2

This does not precisely match the other end (but I am not completely familiar with command line Cisco).

What is des-cbc on your end compared to des on remote end?

EPF diffie hellman groep sup         not selected   <-- Is PFS disabled?  I keep it disabled and then DH Group 2 is not part of phase 2.
0
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

 
LVL 2

Author Comment

by:manuverhaegen
ID: 41906123
yes, there is a difference in des-cbc and des
0
 
LVL 99

Accepted Solution

by:
John Hurst earned 2000 total points
ID: 41906144
That is a mis-match. Can you make them the same?
0
 
LVL 2

Author Comment

by:manuverhaegen
ID: 41906189
The options on both firewall's are different.
For Ckeckpoint
IKE: 3DES, AES-128, AES256, DES, CAST
IPSEC: 3DES, AES-128, AES-256, DES, CAST, DES-40CP, CAST-40

For cisco
IKE: 3des-cbc, aes-cbc, des-cbc
IPSEc : 3des, aes-cbc-128,aes-cbc-192,aes-cbc-256,
aes-ctr-128,aes-ctr-192,aes-ctr-256,des
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 41906241
The phases must match and when they do not (as your logs say) then you cannot connect. You may need to replace the Checkpoint VPN with a Cisco VPN box.
0
 
LVL 2

Author Comment

by:manuverhaegen
ID: 41906246
This is not at solution for me, we have more then 150 customers with different Firewall's. We can not ask to custommers to buy cisco.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 41906255
You need then to call Checkpoint Support, lodge a case and see if they can match the Cisco VPN settings.
0
 
LVL 99

Expert Comment

by:John Hurst
ID: 41906331
Thanks. If you call Checkpoint and need more help, post again and we can assist.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month12 days, 14 hours left to enroll

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question