Solved

ipsec tunnel comme not up

Posted on 2016-11-28
10
153 Views
Last Modified: 2016-11-29
ipsec tunnel comme not up

Router HP comware router

Config remote site :
----------------------------
IKE phase1
  encryption des
  authen MD5
  diffie-hellman group Group2 1024bit
  renegotiatie every 480 minutes
  testpassword
IPSEC phase
  encryption des
  authen MD5
  EPF diffie hellman groep sup         not selected
  renegotiatie 3600 sec
  LAN 172.x.x.0 /24
  WAN 203.x.x.x

Config my side :
-----------------------
acl number 3001
 rule permit ip source 192.168.x.0 0.0.0.255 destination 172.x.x.x 0.0.0.255
 quit
ike local-name vpntun01
ike proposal 1
 encryption-algorithm des-cbc
 authentication-algorithm md5
 dh group2
 sa duration 28800
 quit
ike peer vpntun01
 exchange-mode aggressive
 pre-shared-key simple testpassword
 proposal 1
 local-address 192.168.x.x
 remote-address 172.x.x.x
 quit
ipsec transform-set 1
 transform esp
 esp encryption-algorithm des
 esp authentication-algorithm md5
 quit
ipsec profile vpntun01
 ike-peer vpntun01
 transform-set 1
 sa duration time-based 3600
 quit
interface tunnel 1
 ip address 1.1.1.1 24
 tunnel-protocol ipsec ipv4
 source gigabitethernet 0/1
 destination 203.x.x.x
 ipsec profile vpntun01
 quit
ip route-static 172.x.x.x 255.255.255.0 tunnel 1

Log file :
*Nov 28 20:34:19:477 2016 Router1 IPSEC/7/DBG: IPsec_SA:ipsec acquire sa, use ike peer name: "vpntun01".
*Nov 28 20:34:19:477 2016 Router1 TUNNEL/7/debug:
Tunnel1 can't come up because:
*Nov 28 20:34:19:478 2016 Router1 TUNNEL/7/debug:
Failed to check the submodule
*Nov 28 20:34:19:490 2016 Router1 IKE/7/DEBUG: IKE receive acquire SA request, IKE peer name:vpntun01.
*Nov 28 20:34:19:490 2016 Router1 IKE/7/DEBUG: Connection name is 202.x.x.x,203.x.x.x,500,,0,1,1
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: Check connection: SA for 202.x.x.x,203.x.x.x,500,,0,1,1 missing
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange lookup :name = 202.x.x.x,203.x.x.x,500,,0,1,1 phase = 2
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange lookup :name = 202.x.x.x,203.x.x.x,500,,0,0,0 phase = 1
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange setup(I): a4c3250
*Nov 28 20:34:19:641 2016 Router1 IKE/7/DEBUG: create udp resource:name = 202.x.x.x,203.x.x.x,500,,0,0,0.
*Nov 28 20:34:19:691 2016 Router1 IKE/7/DEBUG: add payload to message: SA
*Nov 28 20:34:19:791 2016 Router1 IKE/7/DEBUG:   DOI: 1
*Nov 28 20:34:19:892 2016 Router1 IKE/7/DEBUG: add payload to message: PROPOSAL
*Nov 28 20:34:19:992 2016 Router1 IKE/7/DEBUG:   NO: 1
*Nov 28 20:34:20:142 2016 Router1 IKE/7/DEBUG:   PROTO: ISAKMP
*Nov 28 20:34:20:242 2016 Router1 IKE/7/DEBUG:   SPI_SZ: 0
*Nov 28 20:34:20:392 2016 Router1 IKE/7/DEBUG:   NTRANSFORMS: 1
*Nov 28 20:34:20:443 2016 Router1 IKE/7/DEBUG: add payload to message: TRANSFORM
*Nov 28 20:34:20:593 2016 Router1 IKE/7/DEBUG:   NO: 0
*Nov 28 20:34:20:643 2016 Router1 IKE/7/DEBUG:   ID: 1
*Nov 28 20:34:20:693 2016 Router1 IKE/7/DEBUG:   Transform 0's attributes
*Nov 28 20:34:20:793 2016 Router1 IKE/7/DEBUG:   Attribute ENCRYPTION_ALGORITHM : DES_CBC
*Nov 28 20:34:20:843 2016 Router1 IKE/7/DEBUG:   Attribute HASH_ALGORITHM : MD5
*Nov 28 20:34:20:894 2016 Router1 IKE/7/DEBUG:   Attribute AUTHENTICATION_METHOD : PRE_SHARED
*Nov 28 20:34:20:994 2016 Router1 IKE/7/DEBUG:   Attribute GROUP_DESCRIPTION : MODP_1024
*Nov 28 20:34:21:044 2016 Router1 IKE/7/DEBUG:   Attribute LIFE_TYPE : SECONDS
*Nov 28 20:34:21:144 2016 Router1 IKE/7/DEBUG:   Attribute LIFE_DURATION : 28800
*Nov 28 20:34:21:194 2016 Router1 IKE/7/DEBUG: P1 initiator send SA message.
*Nov 28 20:34:21:245 2016 Router1 IKE/7/DEBUG: add payload to message: KEY_EXCH
*Nov 28 20:34:21:345 2016 Router1 IKE/7/DEBUG:   Group ID: 2
*Nov 28 20:34:21:445 2016 Router1 IKE/7/DEBUG: add payload to message: NONCE
*Nov 28 20:34:21:495 2016 Router1 IKE/7/DEBUG: add payload to message: VENDOR
*Nov 28 20:34:21:595 2016 Router1 IKE/7/DEBUG:
IKE_DPD: send VID : afcad713 68a1f1c9 6b8696fc 77570100 (DPD)
*Nov 28 20:34:21:695 2016 Router1 IKE/7/DEBUG: add payload to message: ID
*Nov 28 20:34:21:796 2016 Router1 IKE/7/DEBUG:   TYPE: 1
*Nov 28 20:34:21:846 2016 Router1 IKE/7/DEBUG:   DOI_DATA: 0x000000
*Nov 28 20:34:21:946 2016 Router1 IKE/7/DEBUG: exchange check: checking for required SA
*Nov 28 20:34:22:046 2016 Router1 IKE/7/DEBUG: exchange check: checking for required KEY_EXCH
*Nov 28 20:34:22:096 2016 Router1 IKE/7/DEBUG: exchange check: checking for required NONCE
*Nov 28 20:34:22:197 2016 Router1 IKE/7/DEBUG: exchange check: checking for required ID
*Nov 28 20:34:22:247 2016 Router1 IKE/7/DEBUG: send message:
*Nov 28 20:34:22:397 2016 Router1 IKE/7/DEBUG:   ICOOKIE: 0x62c513d54755f1b6
*Nov 28 20:34:22:447 2016 Router1 IKE/7/DEBUG:   RCOOKIE: 0x0000000000000000
*Nov 28 20:34:22:497 2016 Router1 IKE/7/DEBUG:   NEXT_PAYLOAD: SA
*Nov 28 20:34:22:597 2016 Router1 IKE/7/DEBUG:   VERSION: 16
*Nov 28 20:34:22:699 2016 Router1 IKE/7/DEBUG:   EXCH_TYPE: AGGRESSIVE
*Nov 28 20:34:22:799 2016 Router1 IKE/7/DEBUG:   FLAGS: [ ]
*Nov 28 20:34:22:899 2016 Router1 IKE/7/DEBUG:   MESSAGE_ID: 0x00000000
*Nov 28 20:34:22:949 2016 Router1 IKE/7/DEBUG:   LENGTH: 268
*Nov 28 20:34:23:050 2016 Router1 IKE/7/DEBUG: exchange state machine(I): finished step 0, advancing...
*Nov 28 20:34:23:100 2016 Router1 IPSEC/7/DBG:
  Entering IPsec NAT bypass pross.
*Nov 28 20:34:23:200 2016 Router1 IPSEC/7/DBG:
 ipsec nat bypass is not enable.
*Nov 28 20:34:24:477 2016 Router1 IPSEC/7/DBG: IPsec_SA:
 IPsec SA is negotiating.
*Nov 28 20:34:24:477 2016 Router1 TUNNEL/7/debug:
Tunnel1 can't come up because:
*Nov 28 20:34:24:477 2016 Router1 TUNNEL/7/debug:
Failed to check the submodule
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG: send message:
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG:   ICOOKIE: 0x62c513d54755f1b6
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG:   RCOOKIE: 0x0000000000000000
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG:   NEXT_PAYLOAD: SA
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG:   VERSION: 16
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG:   EXCH_TYPE: AGGRESSIVE
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG:   FLAGS: [ ]
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG:   MESSAGE_ID: 0x00000000
*Nov 28 20:34:28:550 2016 Router1 IKE/7/DEBUG:   LENGTH: 268
*Nov 28 20:34:28:650 2016 Router1 IPSEC/7/DBG:
  Entering IPsec NAT bypass pross.
0
Comment
Question by:manuverhaegen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
10 Comments
 
LVL 96

Expert Comment

by:Experienced Member
ID: 41904746
This is site-to-site, correct?  Change aggressive mode to Main Mode and turn on NAT Traversal. See if one or both changes help.
0
 
LVL 2

Author Comment

by:manuverhaegen
ID: 41904787
I have change aggressive mode to Main Mode and turn on NAT Traversal

Tunnel comme not up

Logfile remote Site
Mon Nov 28 21:45:23 2016 (GMT +0100): [FVS336GV3] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1.
Mon Nov 28 21:45:23 2016 (GMT +0100): [FVS336GV3] [IKE] ERROR:  Invalid SA protocol type: 0
Mon Nov 28 21:44:52 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Configuration found for 202.x.x.x.
Mon Nov 28 21:44:52 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  accept a request to establish IKE-SA: 202.x.x.x
Mon Nov 28 21:44:48 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Configuration found for 202.x.x.x.
Mon Nov 28 21:44:48 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  accept a request to establish IKE-SA: 202.x.x.x
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 9
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 8
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 4
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:   [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Beginning Identity Protection mode.
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Initiating new phase 1 negotiation: 203.x.x.x[500]<=>202.x.x.x[500]
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Configuration found for 202.x.x.x.
Mon Nov 28 20:44:40 2016 (GMT +0000): [FVS336GV3] [IKE] INFO:  accept a request to establish IKE-SA: 202.x.x.x
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 41904794
Phase 2 negotiation failed due to time up waiting for phase1.

 encryption-algorithm des-cbc
 authentication-algorithm md5
 dh group2

This does not precisely match the other end (but I am not completely familiar with command line Cisco).

What is des-cbc on your end compared to des on remote end?

EPF diffie hellman groep sup         not selected   <-- Is PFS disabled?  I keep it disabled and then DH Group 2 is not part of phase 2.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 2

Author Comment

by:manuverhaegen
ID: 41906123
yes, there is a difference in des-cbc and des
0
 
LVL 96

Accepted Solution

by:
Experienced Member earned 500 total points
ID: 41906144
That is a mis-match. Can you make them the same?
0
 
LVL 2

Author Comment

by:manuverhaegen
ID: 41906189
The options on both firewall's are different.
For Ckeckpoint
IKE: 3DES, AES-128, AES256, DES, CAST
IPSEC: 3DES, AES-128, AES-256, DES, CAST, DES-40CP, CAST-40

For cisco
IKE: 3des-cbc, aes-cbc, des-cbc
IPSEc : 3des, aes-cbc-128,aes-cbc-192,aes-cbc-256,
aes-ctr-128,aes-ctr-192,aes-ctr-256,des
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 41906241
The phases must match and when they do not (as your logs say) then you cannot connect. You may need to replace the Checkpoint VPN with a Cisco VPN box.
0
 
LVL 2

Author Comment

by:manuverhaegen
ID: 41906246
This is not at solution for me, we have more then 150 customers with different Firewall's. We can not ask to custommers to buy cisco.
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 41906255
You need then to call Checkpoint Support, lodge a case and see if they can match the Cisco VPN settings.
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 41906331
Thanks. If you call Checkpoint and need more help, post again and we can assist.
0

Featured Post

Get HTML5 Certified

Want to be a web developer? You'll need to know HTML. Prepare for HTML5 certification by enrolling in July's Course of the Month! It's free for Premium Members, Team Accounts, and Qualified Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question