Solved

ipsec tunnel comme not up

Posted on 2016-11-28
10
23 Views
Last Modified: 2016-11-29
ipsec tunnel comme not up

Router HP comware router

Config remote site :
----------------------------
IKE phase1
  encryption des
  authen MD5
  diffie-hellman group Group2 1024bit
  renegotiatie every 480 minutes
  testpassword
IPSEC phase
  encryption des
  authen MD5
  EPF diffie hellman groep sup         not selected
  renegotiatie 3600 sec
  LAN 172.x.x.0 /24
  WAN 203.x.x.x

Config my side :
-----------------------
acl number 3001
 rule permit ip source 192.168.x.0 0.0.0.255 destination 172.x.x.x 0.0.0.255
 quit
ike local-name vpntun01
ike proposal 1
 encryption-algorithm des-cbc
 authentication-algorithm md5
 dh group2
 sa duration 28800
 quit
ike peer vpntun01
 exchange-mode aggressive
 pre-shared-key simple testpassword
 proposal 1
 local-address 192.168.x.x
 remote-address 172.x.x.x
 quit
ipsec transform-set 1
 transform esp
 esp encryption-algorithm des
 esp authentication-algorithm md5
 quit
ipsec profile vpntun01
 ike-peer vpntun01
 transform-set 1
 sa duration time-based 3600
 quit
interface tunnel 1
 ip address 1.1.1.1 24
 tunnel-protocol ipsec ipv4
 source gigabitethernet 0/1
 destination 203.x.x.x
 ipsec profile vpntun01
 quit
ip route-static 172.x.x.x 255.255.255.0 tunnel 1

Log file :
*Nov 28 20:34:19:477 2016 Router1 IPSEC/7/DBG: IPsec_SA:ipsec acquire sa, use ike peer name: "vpntun01".
*Nov 28 20:34:19:477 2016 Router1 TUNNEL/7/debug:
Tunnel1 can't come up because:
*Nov 28 20:34:19:478 2016 Router1 TUNNEL/7/debug:
Failed to check the submodule
*Nov 28 20:34:19:490 2016 Router1 IKE/7/DEBUG: IKE receive acquire SA request, IKE peer name:vpntun01.
*Nov 28 20:34:19:490 2016 Router1 IKE/7/DEBUG: Connection name is 202.x.x.x,203.x.x.x,500,,0,1,1
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: Check connection: SA for 202.x.x.x,203.x.x.x,500,,0,1,1 missing
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange lookup :name = 202.x.x.x,203.x.x.x,500,,0,1,1 phase = 2
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange lookup :name = 202.x.x.x,203.x.x.x,500,,0,0,0 phase = 1
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange setup(I): a4c3250
*Nov 28 20:34:19:641 2016 Router1 IKE/7/DEBUG: create udp resource:name = 202.x.x.x,203.x.x.x,500,,0,0,0.
*Nov 28 20:34:19:691 2016 Router1 IKE/7/DEBUG: add payload to message: SA
*Nov 28 20:34:19:791 2016 Router1 IKE/7/DEBUG:   DOI: 1
*Nov 28 20:34:19:892 2016 Router1 IKE/7/DEBUG: add payload to message: PROPOSAL
*Nov 28 20:34:19:992 2016 Router1 IKE/7/DEBUG:   NO: 1
*Nov 28 20:34:20:142 2016 Router1 IKE/7/DEBUG:   PROTO: ISAKMP
*Nov 28 20:34:20:242 2016 Router1 IKE/7/DEBUG:   SPI_SZ: 0
*Nov 28 20:34:20:392 2016 Router1 IKE/7/DEBUG:   NTRANSFORMS: 1
*Nov 28 20:34:20:443 2016 Router1 IKE/7/DEBUG: add payload to message: TRANSFORM
*Nov 28 20:34:20:593 2016 Router1 IKE/7/DEBUG:   NO: 0
*Nov 28 20:34:20:643 2016 Router1 IKE/7/DEBUG:   ID: 1
*Nov 28 20:34:20:693 2016 Router1 IKE/7/DEBUG:   Transform 0's attributes
*Nov 28 20:34:20:793 2016 Router1 IKE/7/DEBUG:   Attribute ENCRYPTION_ALGORITHM : DES_CBC
*Nov 28 20:34:20:843 2016 Router1 IKE/7/DEBUG:   Attribute HASH_ALGORITHM : MD5
*Nov 28 20:34:20:894 2016 Router1 IKE/7/DEBUG:   Attribute AUTHENTICATION_METHOD : PRE_SHARED
*Nov 28 20:34:20:994 2016 Router1 IKE/7/DEBUG:   Attribute GROUP_DESCRIPTION : MODP_1024
*Nov 28 20:34:21:044 2016 Router1 IKE/7/DEBUG:   Attribute LIFE_TYPE : SECONDS
*Nov 28 20:34:21:144 2016 Router1 IKE/7/DEBUG:   Attribute LIFE_DURATION : 28800
*Nov 28 20:34:21:194 2016 Router1 IKE/7/DEBUG: P1 initiator send SA message.
*Nov 28 20:34:21:245 2016 Router1 IKE/7/DEBUG: add payload to message: KEY_EXCH
*Nov 28 20:34:21:345 2016 Router1 IKE/7/DEBUG:   Group ID: 2
*Nov 28 20:34:21:445 2016 Router1 IKE/7/DEBUG: add payload to message: NONCE
*Nov 28 20:34:21:495 2016 Router1 IKE/7/DEBUG: add payload to message: VENDOR
*Nov 28 20:34:21:595 2016 Router1 IKE/7/DEBUG:
IKE_DPD: send VID : afcad713 68a1f1c9 6b8696fc 77570100 (DPD)
*Nov 28 20:34:21:695 2016 Router1 IKE/7/DEBUG: add payload to message: ID
*Nov 28 20:34:21:796 2016 Router1 IKE/7/DEBUG:   TYPE: 1
*Nov 28 20:34:21:846 2016 Router1 IKE/7/DEBUG:   DOI_DATA: 0x000000
*Nov 28 20:34:21:946 2016 Router1 IKE/7/DEBUG: exchange check: checking for required SA
*Nov 28 20:34:22:046 2016 Router1 IKE/7/DEBUG: exchange check: checking for required KEY_EXCH
*Nov 28 20:34:22:096 2016 Router1 IKE/7/DEBUG: exchange check: checking for required NONCE
*Nov 28 20:34:22:197 2016 Router1 IKE/7/DEBUG: exchange check: checking for required ID
*Nov 28 20:34:22:247 2016 Router1 IKE/7/DEBUG: send message:
*Nov 28 20:34:22:397 2016 Router1 IKE/7/DEBUG:   ICOOKIE: 0x62c513d54755f1b6
*Nov 28 20:34:22:447 2016 Router1 IKE/7/DEBUG:   RCOOKIE: 0x0000000000000000
*Nov 28 20:34:22:497 2016 Router1 IKE/7/DEBUG:   NEXT_PAYLOAD: SA
*Nov 28 20:34:22:597 2016 Router1 IKE/7/DEBUG:   VERSION: 16
*Nov 28 20:34:22:699 2016 Router1 IKE/7/DEBUG:   EXCH_TYPE: AGGRESSIVE
*Nov 28 20:34:22:799 2016 Router1 IKE/7/DEBUG:   FLAGS: [ ]
*Nov 28 20:34:22:899 2016 Router1 IKE/7/DEBUG:   MESSAGE_ID: 0x00000000
*Nov 28 20:34:22:949 2016 Router1 IKE/7/DEBUG:   LENGTH: 268
*Nov 28 20:34:23:050 2016 Router1 IKE/7/DEBUG: exchange state machine(I): finished step 0, advancing...
*Nov 28 20:34:23:100 2016 Router1 IPSEC/7/DBG:
  Entering IPsec NAT bypass pross.
*Nov 28 20:34:23:200 2016 Router1 IPSEC/7/DBG:
 ipsec nat bypass is not enable.
*Nov 28 20:34:24:477 2016 Router1 IPSEC/7/DBG: IPsec_SA:
 IPsec SA is negotiating.
*Nov 28 20:34:24:477 2016 Router1 TUNNEL/7/debug:
Tunnel1 can't come up because:
*Nov 28 20:34:24:477 2016 Router1 TUNNEL/7/debug:
Failed to check the submodule
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG: send message:
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG:   ICOOKIE: 0x62c513d54755f1b6
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG:   RCOOKIE: 0x0000000000000000
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG:   NEXT_PAYLOAD: SA
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG:   VERSION: 16
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG:   EXCH_TYPE: AGGRESSIVE
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG:   FLAGS: [ ]
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG:   MESSAGE_ID: 0x00000000
*Nov 28 20:34:28:550 2016 Router1 IKE/7/DEBUG:   LENGTH: 268
*Nov 28 20:34:28:650 2016 Router1 IPSEC/7/DBG:
  Entering IPsec NAT bypass pross.
0
Comment
Question by:manuverhaegen
  • 6
  • 4
10 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 41904746
This is site-to-site, correct?  Change aggressive mode to Main Mode and turn on NAT Traversal. See if one or both changes help.
0
 
LVL 2

Author Comment

by:manuverhaegen
ID: 41904787
I have change aggressive mode to Main Mode and turn on NAT Traversal

Tunnel comme not up

Logfile remote Site
Mon Nov 28 21:45:23 2016 (GMT +0100): [FVS336GV3] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1.
Mon Nov 28 21:45:23 2016 (GMT +0100): [FVS336GV3] [IKE] ERROR:  Invalid SA protocol type: 0
Mon Nov 28 21:44:52 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Configuration found for 202.x.x.x.
Mon Nov 28 21:44:52 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  accept a request to establish IKE-SA: 202.x.x.x
Mon Nov 28 21:44:48 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Configuration found for 202.x.x.x.
Mon Nov 28 21:44:48 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  accept a request to establish IKE-SA: 202.x.x.x
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 9
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 8
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 4
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:   [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Beginning Identity Protection mode.
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Initiating new phase 1 negotiation: 203.x.x.x[500]<=>202.x.x.x[500]
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO:  Configuration found for 202.x.x.x.
Mon Nov 28 20:44:40 2016 (GMT +0000): [FVS336GV3] [IKE] INFO:  accept a request to establish IKE-SA: 202.x.x.x
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41904794
Phase 2 negotiation failed due to time up waiting for phase1.

 encryption-algorithm des-cbc
 authentication-algorithm md5
 dh group2

This does not precisely match the other end (but I am not completely familiar with command line Cisco).

What is des-cbc on your end compared to des on remote end?

EPF diffie hellman groep sup         not selected   <-- Is PFS disabled?  I keep it disabled and then DH Group 2 is not part of phase 2.
0
 
LVL 2

Author Comment

by:manuverhaegen
ID: 41906123
yes, there is a difference in des-cbc and des
0
 
LVL 90

Accepted Solution

by:
John Hurst earned 500 total points
ID: 41906144
That is a mis-match. Can you make them the same?
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 2

Author Comment

by:manuverhaegen
ID: 41906189
The options on both firewall's are different.
For Ckeckpoint
IKE: 3DES, AES-128, AES256, DES, CAST
IPSEC: 3DES, AES-128, AES-256, DES, CAST, DES-40CP, CAST-40

For cisco
IKE: 3des-cbc, aes-cbc, des-cbc
IPSEc : 3des, aes-cbc-128,aes-cbc-192,aes-cbc-256,
aes-ctr-128,aes-ctr-192,aes-ctr-256,des
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41906241
The phases must match and when they do not (as your logs say) then you cannot connect. You may need to replace the Checkpoint VPN with a Cisco VPN box.
0
 
LVL 2

Author Comment

by:manuverhaegen
ID: 41906246
This is not at solution for me, we have more then 150 customers with different Firewall's. We can not ask to custommers to buy cisco.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41906255
You need then to call Checkpoint Support, lodge a case and see if they can match the Cisco VPN settings.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 41906331
Thanks. If you call Checkpoint and need more help, post again and we can assist.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now