Wireless Access

Hello, 

 

For the first time :) I'm trying to setup a VPN S2S between an Aruba and a checkpoint Firewall.

 

I've got the following error message :

Failed to initiate Site-Site VPN for map:xxxxxxx because of missing isakmp policies

 

On Checkpoint side the setup is :

IKE Phase 1

- Encryption AES-256

- Authentification SHA1

- Diffie-Hellman : Groupe 2 (2014 bits)

- Renegociate every : 1440

 

IPSec (Phase 2)

- Encryption : AES-128

Authentification : SHA1

Enable PFS : Groupe 2

 

the setup of Aruba is attached.

 

Do you have any idea ?

 

Many thanks in advance.

 

+

 

In the screenshot you have not selected a transform set:  http://www.arubanetworks.com/techdocs/ArubaOS_65x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/VPNs/Configuring_a_VPN_for_L2.htm?Highlight=transform set

Hello Joseph,

I hope you're fine!

I've tried some transformation set but without success...

Is it possible to advise me which one I need to set?

Many thanks in advance.

++

i couldn't understand how it's works...

 

i've got the following option for the transformation set :

default-1st-ikev2-transform

default-3rd-ikev2-transform

default-aes

default-boc-bm-transform

default-cluster-transform

default-gcm128

default-gcm256

default-ha-transform

default-ml-transform

default-rap-transform

default-transform

 

Based on the information on checkpoint side, i couldn't understand which one of them i need to add....

 

Many thanks in advance for your help

 

+

 

 

 

 

 

 

 

 

I think you can create your own IKE Policy:

 

thanks Joseph but i'm not able to click on "add" ...

i'm logged with the admin account

 

look the screenshot attached...

 

the controller just out of the box with an minimal setup ( just ip )

Are you on the local or master controller?

the goal is that this controller is going to get the licenses over a centralized controller.

 

is on local mode now.

 

The goal is to create a VPN from the controller to the checkpoint to reach out the centralized controller.

 

Do i need to set is to master, build up the VPN with the master and after that switch to local ?

 

We only need to get the licenses over the master, no more..100% of the settings will be local.

 

thanks in advance.

I am not sure if you have to create those VPN policies on the master to see them on the local.  Try that first.  It should have nothing to do with licensing, because VPN does not require licenses.

Joseph, 

 

the both controller aren't on the same network (Two differents sites)

the only way to get a communication between the both is to create a VPN.

 

Following to your advice, i've created the policies it seems to be better but i've got others errors now...

 

Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| IKE_EXAMPLE: IKE_keyConnect() started, id = 0xa2935753...
Aug 23 10:44:18 :103060: <3616> <DBUG> |ike| if.c:GetIPAddrByVlanId:216 vlan 0 ip 192.168.10.2
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| New(1) AGGRESSIVE Exchange ic 649593dc56cfd182 rc 0000000000000000
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 18) is disabled
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA policy:10001 enc:5 hmac:2 auth:1 group:2
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10004) is disabled
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10006) is disabled
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10007) is disabled
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10008) is disabled
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10009) is disabled
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10012) is disabled
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| group_get entered id:2
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| group_get ike_group:0x575198
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| modp_init entered
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| group_get group:0x796854
Aug 23 10:44:18 :103060: <3616> <DBUG> |ike| ike_phase_1.c:ike_phase_1_initiator_send_SA:428 peer:xx.xxx.xxx.xxx
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| Adding ipcomp vendor id payload
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| Adding mac addr of the controller
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| modp_create_exchange: entered
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_send_KE_NONCE xx.xxx.xxx.xxx
Aug 23 10:44:18 :103060: <3616> <DBUG> |ike| if.c:GetIPAddrByVlanId:216 vlan 0 ip 192.168.10.2
Aug 23 10:44:18 :103060: <3616> <DBUG> |ike| ike_phase_1.c:ike_phase_1_send_ID:1837 with SwitchIP 192.168.10.2
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_send_ID xx.xxx.xxx.xxx
Aug 23 10:44:18 :103060: <3616> <DBUG> |ike| exchange.c:exchange_negotiation_state_inprog:2916 Ipsec map default-local-master-ipsecmap is marked negotiation-inprogress
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| xx.xxx.xxx.xxx:4500-> message_recv: invalid message id
Aug 23 10:44:18 :103054: <3616> <INFO> |ike| Dropping IKE message drop from xx.xxx.xxx.xxx 4500 due to notification type:INVALID_MESSAGE_ID
Aug 23 10:44:23 :103063: <3616> <DBUG> |ike| IKE2_updateSadb retransmit exchange timenow:36070382 Exch-timestamp:36065355 retrans:3800
Aug 23 10:44:23 :103063: <3616> <DBUG> |ike| spi={93616d1e0a3b0ad4 0000000000000000} np=SA
Aug 23 10:44:23 :103063: <3616> <DBUG> |ike| exchange=IKE_SA_INIT msgid=0 len=316
Aug 23 10:44:23 :103063: <3616> <DBUG> |ike| SEND 316 bytes to xx.xxx.xxx.xxx(500) (36070.383)

 

Aug 23 11:01:32 :103063: <3616> <DBUG> |ike| IKE2_updateSadb retransmit exchange timenow:37099441 Exch-timestamp:37094365 retrans:3800
Aug 23 11:01:32 :103063: <3616> <DBUG> |ike| spi={38ac713bcd9575d9 0000000000000000} np=SA
Aug 23 11:01:32 :103063: <3616> <DBUG> |ike| exchange=IKE_SA_INIT msgid=0 len=316
Aug 23 11:01:32 :103063: <3616> <DBUG> |ike| SEND 316 bytes to xx.xxx.xxx.xxx(500) (37099.442)
Aug 23 11:01:38 :103063: <3616> <DBUG> |ike| IKE2_updateSadb retransmit exchange timenow:37105441 Exch-timestamp:37099442 retrans:3800
Aug 23 11:01:38 :103063: <3616> <DBUG> |ike| spi={38ac713bcd9575d9 0000000000000000} np=SA
Aug 23 11:01:38 :103063: <3616> <DBUG> |ike| exchange=IKE_SA_INIT msgid=0 len=316
Aug 23 11:01:38 :103063: <3616> <DBUG> |ike| SEND 316 bytes to xx.xxx.xxx.xxx(500) (37105.442)
Aug 23 11:01:44 :103063: <3616> <DBUG> |ike| IKE2_updateSadb retransmit exchange timenow:37111442 Exch-timestamp:37105442 retrans:3800
Aug 23 11:01:44 :103063: <3616> <DBUG> |ike| spi={38ac713bcd9575d9 0000000000000000} np=SA
Aug 23 11:01:44 :103063: <3616> <DBUG> |ike| exchange=IKE_SA_INIT msgid=0 len=316
Aug 23 11:01:44 :103063: <3616> <DBUG> |ike| SEND 316 bytes to xx.xxx.xxx.xxx(500) (37111.442)
Aug 23 11:01:47 :103063: <3616> <DBUG> |ike| ->Delete AGGRESSIVE Exchange ic 09a5947359c46780 rc 0000000000000000
Aug 23 11:01:47 :103063: <3616> <DBUG> |ike| modp_free entered
Aug 23 11:01:47 :103060: <3616> <DBUG> |ike| exchange.c:exchange_negotiation_state_done:2931 Ipsec map default-local-master-ipsecmap is marked negotiation-done
Aug 23 11:01:47 :103063: <3616> <DBUG> |ike| sa_release-> SA ph:1 ref:0 flags:10000 ic 09a5947359c46780 rc 0000000000000000
Aug 23 11:01:47 :103063: <3616> <DBUG> |ike| IKE_checkExpSa pxSa:0x8cd744 error:-8949 flags:1090519045
Aug 23 11:01:47 :103063: <3616> <DBUG> |ike| IKE2_updateSadb SA Expired
Aug 23 11:01:47 :103063: <3616> <DBUG> |ike| IKE2_delSa sa:0x8cd744 peer:xx.xxx.xxx.xxx:500 id:2727565188 err:-90036 saflags:41000005 arflags:20
Aug 23 11:01:47 :103063: <3616> <DBUG> |ike| IKE2_delSa before IKE2_delXchg
Aug 23 11:01:47 :103063: <3616> <DBUG> |ike| CHILD_SA [v2 I
Aug 23 11:01:47 :103060: <3616> <DBUG> |ike| exchange.c:exchange_negotiation_state_done:2931 Ipsec map Versremotesite is marked negotiation-done
Aug 23 11:01:47 :103063: <3616> <DBUG> |ike| IKEresetEventsByMap: reset event id:0 for map Versremotesite
Aug 23 11:01:47 :103063: <3616> <DBUG> |ike| , status = -8949
Aug 23 11:01:47 :103063: <3616> <DBUG> |ike| IKE_delIPsecSa: Removing SPI 0xd1461300 from SPI hash table
Aug 23 11:01:47 :103063: <3616> <DBUG> |ike| ipsec_spi_hash_tbl_entry_remove: Successfully removed IPSEC spi 0xd1461300 from SPI hash table
Aug 23 11:01:47 :103060: <3616> <DBUG> |ike| exchange.c:exchange_negotiation_state_done:2931 Ipsec map Versremotesite is marked negotiation-done
Aug 23 11:01:47 :103063: <3616> <DBUG> |ike| IKE_SA [v2 I
Aug 23 11:01:47 :103063: <3616> <DBUG> |ike| , status = -8949
Aug 23 11:01:47 :103063: <3616> <DBUG> |ike| IKE_deleteHW_state cookies:c20c10aa:1f4

with IKE v1 : 

 

Aug 23 11:10:53 :103063: <3616> <DBUG> |ike| sa_release: Removing spi 0x68d8ee00 from spi hash table
Aug 23 11:10:53 :103063: <3616> <DBUG> |ike| ipsec_spi_hash_tbl_entry_remove: Successfully removed IPSEC spi 0x68d8ee00 from SPI hash table
Aug 23 11:10:54 :103063: <3616> <DBUG> |ike| initiator_send_HASH_SA_NONCE map Versremotesite v:1
Aug 23 11:10:54 :103060: <3616> <DBUG> |ike| ike_quick_mode.c:initiator_send_HASH_SA_NONCE:523 ipsec_map peer IP:xxx.xxx.xxx.xxx SA IP:xxx.xxx.xxx.xxx map_name Versremotesite
Aug 23 11:10:54 :103060: <3616> <DBUG> |ike| ike_quick_mode.c:initiator_send_HASH_SA_NONCE:537 p2-exchange-name:Versremotesite map_name Versremotesite
Aug 23 11:10:54 :103060: <3616> <DBUG> |ike| ike_quick_mode.c:initiator_send_HASH_SA_NONCE:877 Group 2 descriptor for PFS
Aug 23 11:10:54 :103063: <3616> <DBUG> |ike| ipsec_spi_hash_tbl_entry_add: adding IPSEC spi 0xbae8400 to SPI hash table
Aug 23 11:10:54 :103063: <3616> <DBUG> |ike| ipsec_spi_hash_tbl_entry_add: successfully added IPSEC spi 0xbae8400 to SPI hash table
Aug 23 11:10:54 :103063: <3616> <DBUG> |ike| group_get entered id:2
Aug 23 11:10:54 :103063: <3616> <DBUG> |ike| group_get ike_group:0x575198
Aug 23 11:10:54 :103063: <3616> <DBUG> |ike| modp_init entered
Aug 23 11:10:54 :103063: <3616> <DBUG> |ike| group_get group:0x79547c
Aug 23 11:10:54 :103063: <3616> <DBUG> |ike| modp_create_exchange: entered
Aug 23 11:10:54 :103060: <3616> <DBUG> |ike| ike_quick_mode.c:initiator_send_HASH_SA_NONCE:1125 id_type local_id=c0a80a00 remote_id ac120a00 for map-name Versremotesite
Aug 23 11:10:54 :103060: <3616> <DBUG> |ike| exchange.c:exchange_negotiation_state_inprog:2916 Ipsec map Versremotesite is marked negotiation-inprogress
Aug 23 11:10:54 :103063: <3616> <DBUG> |ike| initiator_send_HASH_SA_NONCE map Versremotesite v:1
Aug 23 11:10:54 :103060: <3616> <DBUG> |ike| ike_quick_mode.c:initiator_send_HASH_SA_NONCE:523 ipsec_map peer IP:xxx.xxx.xxx.xxx SA IP:xxx.xxx.xxx.xxx map_name Versremotesite
Aug 23 11:10:54 :103060: <3616> <DBUG> |ike| ike_quick_mode.c:initiator_send_HASH_SA_NONCE:537 p2-exchange-name:xxx.xxx.xxx.xxx map_name Versremotesite
Aug 23 11:10:54 :103063: <3616> <DBUG> |ike| initiator_send_HASH_SA_NONCE map default-local-master-ipsecmap v:1
Aug 23 11:10:54 :103060: <3616> <DBUG> |ike| ike_quick_mode.c:initiator_send_HASH_SA_NONCE:523 ipsec_map peer IP:xxx.xxx.xxx.xxx SA IP:xxx.xxx.xxx.xxx map_name default-local-master-ipsecmap
Aug 23 11:10:54 :103060: <3616> <DBUG> |ike| ike_quick_mode.c:initiator_send_HASH_SA_NONCE:537 p2-exchange-name:xxx.xxx.xxx.xxx map_name default-local-master-ipsecmap
Aug 23 11:10:54 :103063: <3616> <DBUG> |ike| initiator_send_HASH_SA_NONCE map default-rap-ipsecmap v:2
Aug 23 11:10:54 :103063: <3616> <DBUG> |ike| initiator_send_HASH_SA_NONCE map GLOBAL-IKEV2-MAP v:2
Aug 23 11:10:54 :103063: <3616> <DBUG> |ike| initiator_send_HASH_SA_NONCE map default-ikev2-dynamicmap v:2
Aug 23 11:10:54 :103063: <3616> <DBUG> |ike| initiator_send_HASH_SA_NONCE map GLOBAL-MAP v:1
Aug 23 11:10:54 :103063: <3616> <DBUG> |ike| initiator_send_HASH_SA_NONCE map default-dynamicmap v:1
Aug 23 11:10:54 :103060: <3616> <DBUG> |ike| ike_quick_mode.c:initiator_send_HASH_SA_NONCE:523 ipsec_map peer IP:0.0.0.0 SA IP:xxx.xxx.xxx.xxx map_name default-dynamicmap
Aug 23 11:10:54 :103060: <3616> <DBUG> |ike| ike_quick_mode.c:initiator_send_HASH_SA_NONCE:951 Couldn't find map for this peer
Aug 23 11:10:54 :103063: <3616> <DBUG> |ike| exchange_run: doi->initiator (0x8ec4cc) failed retval:-1
Aug 23 11:10:54 :103063: <3616> <DBUG> |ike| xxx.xxx.xxx.xxx:4500-> ->Delete INFO Exchange ic c39a0c89f998b7cf rc 86c0f7f755ff8f7c

so i guess my main issue is:

 

Dropping IKE message drop from xx.xxx.xxx.xxx 4500 due to notification type:INVALID_MESSAGE_ID

 

do you have any idea?

I honestly have never tried to connect it to that type of device so I am just guessing.  Does the manufacturer have any advice about what setups it would work with?

not really,... just some global information....

 

But i've looked online and the error : INVALID_MESSAGE_ID  could be a wrong peer ID.

 

In my case it could be that the checkpoint is waiting the external IP (WAN IP) but the Aruba send le local 192.x.x.x and cause a invalid ID,

 

what do you think about it ? do you have any idea how i can be sure that the Aruba send the correct IP as peer ID ?

 

+

ON the checkpoint can you see an error message?  Can you tell what ip address it is coming from?  Does the connection require a preshared key?

i saw nothing, just some an information related to the "agressive mode"

 

i've tried to disabled it, but the same.

 

the show datapath session | i 4500 show me the both external IP address.

 

yes we are using pre-shared key

Joseph, 

 

if you check the log below, normaly the bold ip should be the external instead of the local as below no?

 

if.c:GetIPAddrByVlanId:216 vlan 0 ip 192.168.10.2
Aug 23 14:54:33 :103060: <3616> <DBUG> |ike| ike_phase_1.c:ike_phase_1_send_ID:1837 with SwitchIP 192.168.10.2
Aug 23 14:54:33 :103063: <3616> <DBUG> |ike| ike_phase_1_send_ID WAN-IP-Address
Aug 23 14:54:33 :103060: <3616> <DBUG> |ike| exchange.c:exchange_negotiation_state_inprog:2916 Ipsec map default-local-master-ipsecmap is marked negotiation-inprogress
Aug 23 14:54:33 :103063: <3616> <DBUG> |ike| WAN-IP-Address:4500-> message_recv: invalid message id
Aug 23 14:54:33 :103054: <3616> <INFO> |ike| Dropping IKE message drop from WAN-IP-Address 4500 due to notification type:INVALID_MESSAGE_ID
Aug 23 14:54:53 :103063: <3616> <DBUG> |ike| ->Delete AGGRESSIVE Exchange ic 54f36b40fc568b3c rc 0000000000000000
Aug 23 14:54:53 :103063: <3616> <DBUG> |ike| modp_free entered
Aug 23 14:54:53 :103060: <3616> <DBUG> |ike| exchange.c:exchange_negotiation_state_done:2931 Ipsec map default-local-master-ipsecmap is marked negotiation-done
Aug 23 14:54:53 :103063: <3616> <DBUG> |ike| sa_release-> SA ph:1 ref:0 flags:10000 ic 54f36b40fc568b3c rc 0000000000000000
Aug 23 14:54:54 :103060: <3616> <DBUG> |ike| if.c:GetIPAddrByVlanId:216 vlan 0 ip 192.168.10.2
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| New(1) AGGRESSIVE Exchange ic a6536b01e6864de2 rc 0000000000000000
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 18) is disabled
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA policy:10001 enc:5 hmac:2 auth:1 group:2
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10004) is disabled
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10006) is disabled
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10007) is disabled
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10008) is disabled
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10009) is disabled
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10012) is disabled
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| group_get entered id:2
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| group_get ike_group:0x575198
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| modp_init entered
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| group_get group:0x79a304
Aug 23 14:54:54 :103060: <3616> <DBUG> |ike| ike_phase_1.c:ike_phase_1_initiator_send_SA:428 peer:WAN-IP-Address
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| Adding ipcomp vendor id payload
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| Adding mac addr of the controller
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| modp_create_exchange: entered
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_send_KE_NONCE WAN-IP-Address
Aug 23 14:54:54 :103060: <3616> <DBUG> |ike| if.c:GetIPAddrByVlanId:216 vlan 0 ip 192.168.10.2
Aug 23 14:54:54 :103060: <3616> <DBUG> |ike| ike_phase_1.c:ike_phase_1_send_ID:1837 with SwitchIP 192.168.10.2
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_send_ID WAN-IP-Address
Aug 23 14:54:54 :103060: <3616> <DBUG> |ike| exchange.c:exchange_negotiation_state_inprog:2916 Ipsec map default-local-master-ipsecmap is marked negotiation-inprogress
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| WAN-IP-Address:4500-> message_recv: invalid message id
Aug 23 14:54:54 :103054: <3616> <INFO> |ike| Dropping IKE message drop from WAN-IP-Address 4500 due to notification type:INVALID_MESSAGE_ID

It looks like none of your policies match the checkpoint's policies:

 

Aug 23 14:54:54 :103060: <3616> <DBUG> |ike| if.c:GetIPAddrByVlanId:216 vlan 0 ip 192.168.10.2
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| New(1) AGGRESSIVE Exchange ic a6536b01e6864de2 rc 0000000000000000
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 18) is disabled
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA policy:10001 enc:5 hmac:2 auth:1 group:2
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10004) is disabled
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10006) is disabled
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10007) is disabled
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10008) is disabled
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10009) is disabled
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10012) is disabled
Aug 23 14:54:54 :103063: <3616> <DBUG> |ike| group_get entered id:2

 

I would contact Checkpoint to ask what the policies on the other side should look like...

i guess we did a little jump....

 

Aug 24 07:16:18 :103063: <3617> <DBUG> |ike| WAN-IP-Address:500-> group_get ike_group:0x575198
Aug 24 07:16:18 :103063: <3617> <DBUG> |ike| WAN-IP-Address:500-> modp_init entered
Aug 24 07:16:18 :103063: <3617> <DBUG> |ike| WAN-IP-Address:500-> group_get group:0x7a918c
Aug 24 07:16:18 :103063: <3617> <DBUG> |ike| WAN-IP-Address:500-> modp_create_exchange: entered
Aug 24 07:16:18 :103060: <3617> <DBUG> |ike| WAN-IP-Address:500-> nat_traversal.c:nat_t_generate_nat_d_hash:267 IP WAN-IP-Address Port 500
Aug 24 07:16:18 :103060: <3617> <DBUG> |ike| WAN-IP-Address:500-> nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 192.168.10.2 Port 500
Aug 24 07:16:18 :103060: <3617> <DBUG> |ike| WAN-IP-Address:500-> nat_traversal.c:nat_t_exchange_add_nat_d:377 NAT-T added hashes for src=192.168.10.2:500, dst=WAN-IP-Address:500
Aug 24 07:16:18 :103063: <3617> <DBUG> |ike| WAN-IP-Address:500-> ike_phase_1_send_KE_NONCE WAN-IP-Address
Aug 24 07:16:18 :103060: <3617> <DBUG> |ike| WAN-IP-Address:500-> ike_phase_1.c:ike_phase_1_recv_KE_NONCE:1332 Initiator, allowing NAT-T checks.
Aug 24 07:16:18 :103060: <3617> <DBUG> |ike| WAN-IP-Address:500-> nat_traversal.c:nat_t_generate_nat_d_hash:267 IP 192.168.10.2 Port 500
Aug 24 07:16:18 :103060: <3617> <DBUG> |ike| WAN-IP-Address:500-> nat_traversal.c:nat_t_generate_nat_d_hash:267 IP WAN-IP-Address Port 500
Aug 24 07:16:18 :103063: <3617> <DBUG> |ike| WAN-IP-Address:500-> nat_t_exchange_check_nat_d enable NATT
Aug 24 07:16:18 :103060: <3617> <DBUG> |ike| WAN-IP-Address:500-> nat_traversal.c:nat_t_exchange_check_nat_d:535 NAT detected, this switch is behind a NAT device
Aug 24 07:16:18 :103063: <3617> <DBUG> |ike| WAN-IP-Address:500-> GetFirstMatchIsakmpPSK: entering
Aug 24 07:16:18 :103063: <3617> <DBUG> |ike| WAN-IP-Address:500-> mask FFFFFFFF, ip C20C10AA, key_ip C20C10AA
Aug 24 07:16:18 :103060: <3617> <DBUG> |ike| WAN-IP-Address:500-> ike_auth.c:ike_auth_get_key:603 Found isakmp policy for peer WAN-IP-Address client:no
Aug 24 07:16:18 :103063: <3617> <DBUG> |ike| WAN-IP-Address:500-> ike_phase_1_post_exchange_KE_NONCE IV len:16
Aug 24 07:16:18 :103063: <3617> <DBUG> |ike| WAN-IP-Address:500-> ike_phase_1_post_exchange_KE_NONCE done WAN-IP-Address g_x_len:128 skeyid_len:20
Aug 24 07:16:18 :103063: <3617> <DBUG> |ike| WAN-IP-Address:500-> ike_phase_1_send_ID WAN-IP-Address
Aug 24 07:16:18 :103063: <3617> <DBUG> |ike| WAN-IP-Address:500-> ike_auth_hash
Aug 24 07:16:18 :103063: <3617> <DBUG> |ike| WAN-IP-Address:500-> ike_phase_1_send_AUTH
Aug 24 07:16:18 :103063: <3617> <DBUG> |ike| 192.168.10.1:4500-> message_parse_payloads: invalid next payload type <Unknown 95> in payload of type 5
Aug 24 07:16:18 :103060: <3617> <DBUG> |ike| 192.168.10.1:4500-> message.c:message_drop:2886 Message drop from 192.168.10.1 port 4500 due to notification type INVALID_PAYLOAD_TYPE
Aug 24 07:16:18 :103053: <3617> <INFO> |ike| Drop message from WAN-IP-Address due to invalid IKE shared-secret
Aug 24 07:16:21 :103063: <3617> <DBUG> |ike| WAN-IP-Address:500-> message_recv: invalid cookie(s) 91469bddd816b3b3 575499fd899d2317
Aug 24 07:16:21 :103060: <3617> <DBUG> |ike| WAN-IP-Address:500-> message.c:message_drop:2886 Message drop from WAN-IP-Address port 500 due to notification type INVALID_COOKIE
Aug 24 07:16:25 :103063: <3617> <DBUG> |ike| WAN-IP-Address:500-> message_recv: invalid cookie(s) 91469bddd816b3b3 575499fd899d2317
Aug 24 07:16:25 :103060: <3617> <DBUG> |ike| WAN-IP-Address:500-> message.c:message_drop:2886 Message drop from WAN-IP-Address port 500 due to notification type INVALID_COOKIE
Aug 24 07:16:29 :103063: <3617> <DBUG> |ike| WAN-IP-Address:500-> message_recv: invalid cookie(s) 91469bddd816b3b3 575499fd899d2317
Aug 24 07:16:29 :103060: <3617> <DBUG> |ike| WAN-IP-Address:500-> message.c:message_drop:2886 Message drop from WAN-IP-Address port 500 due to notification type INVALID_COOKIE

 

i did twice to fill out the pre-shared key.... the same on both sites

 

 

Hello,

For the end of the story the main issue came from the router.

Actually the router doesn't correctly manage the NAT rules.

A new router works well !

Thanks for your help!