Wireless Access

Reply

Failed to initiate Site-Site VPN for map:XXXXXbecause of missing isakmp policies

Hello, 

 

For the first time :) I'm trying to setup a VPN S2S between an Aruba and a checkpoint Firewall.

 

I've got the following error message :

Failed to initiate Site-Site VPN for map:xxxxxxx because of missing isakmp policies

 

On Checkpoint side the setup is :

IKE Phase 1

- Encryption AES-256

- Authentification SHA1

- Diffie-Hellman : Groupe 2 (2014 bits)

- Renegociate every : 1440

 

IPSec (Phase 2)

- Encryption : AES-128

Authentification : SHA1

Enable PFS : Groupe 2

 

the setup of Aruba is attached.

 

Do you have any idea ?

 

Many thanks in advance.

 

+

 

Guru Elite

Re: Failed to initiate Site-Site VPN for map:XXXXXbecause of missing isakmp policies

In the screenshot you have not selected a transform set:  http://www.arubanetworks.com/techdocs/ArubaOS_65x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/VPNs/Configuring_a_VPN_for_L2.htm?Highlight=transform set



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Failed to initiate Site-Site VPN for map:XXXXXbecause of missing isakmp policies

Hello Joseph,

I hope you're fine!

I've tried some transformation set but without success...

Is it possible to advise me which one I need to set?

Many thanks in advance.

++

Re: Failed to initiate Site-Site VPN for map:XXXXXbecause of missing isakmp policies

i couldn't understand how it's works...

 

i've got the following option for the transformation set :

default-1st-ikev2-transform

default-3rd-ikev2-transform

default-aes

default-boc-bm-transform

default-cluster-transform

default-gcm128

default-gcm256

default-ha-transform

default-ml-transform

default-rap-transform

default-transform

 

Based on the information on checkpoint side, i couldn't understand which one of them i need to add....

 

Many thanks in advance for your help

 

+

 

 

 

 

 

 

 

 

Guru Elite

Re: Failed to initiate Site-Site VPN for map:XXXXXbecause of missing isakmp policies

I think you can create your own IKE Policy:

 

policy.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Failed to initiate Site-Site VPN for map:XXXXXbecause of missing isakmp policies

thanks Joseph but i'm not able to click on "add" ...

i'm logged with the admin account

 

look the screenshot attached...

 

the controller just out of the box with an minimal setup ( just ip )

Guru Elite

Re: Failed to initiate Site-Site VPN for map:XXXXXbecause of missing isakmp policies

Are you on the local or master controller?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Failed to initiate Site-Site VPN for map:XXXXXbecause of missing isakmp policies

the goal is that this controller is going to get the licenses over a centralized controller.

 

is on local mode now.

 

The goal is to create a VPN from the controller to the checkpoint to reach out the centralized controller.

 

Do i need to set is to master, build up the VPN with the master and after that switch to local ?

 

We only need to get the licenses over the master, no more..100% of the settings will be local.

 

thanks in advance.

Guru Elite

Re: Failed to initiate Site-Site VPN for map:XXXXXbecause of missing isakmp policies

I am not sure if you have to create those VPN policies on the master to see them on the local.  Try that first.  It should have nothing to do with licensing, because VPN does not require licenses.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: Failed to initiate Site-Site VPN for map:XXXXXbecause of missing isakmp policies

Joseph, 

 

the both controller aren't on the same network (Two differents sites)

the only way to get a communication between the both is to create a VPN.

 

Following to your advice, i've created the policies it seems to be better but i've got others errors now...

 

Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| IKE_EXAMPLE: IKE_keyConnect() started, id = 0xa2935753...
Aug 23 10:44:18 :103060: <3616> <DBUG> |ike| if.c:GetIPAddrByVlanId:216 vlan 0 ip 192.168.10.2
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| New(1) AGGRESSIVE Exchange ic 649593dc56cfd182 rc 0000000000000000
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 18) is disabled
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA policy:10001 enc:5 hmac:2 auth:1 group:2
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10004) is disabled
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10006) is disabled
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10007) is disabled
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10008) is disabled
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10009) is disabled
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_initiator_send_SA matching IKE policy version is not v1 or policy (priority = 10012) is disabled
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| group_get entered id:2
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| group_get ike_group:0x575198
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| modp_init entered
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| group_get group:0x796854
Aug 23 10:44:18 :103060: <3616> <DBUG> |ike| ike_phase_1.c:ike_phase_1_initiator_send_SA:428 peer:xx.xxx.xxx.xxx
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| Adding ipcomp vendor id payload
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| Adding mac addr of the controller
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| modp_create_exchange: entered
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_send_KE_NONCE xx.xxx.xxx.xxx
Aug 23 10:44:18 :103060: <3616> <DBUG> |ike| if.c:GetIPAddrByVlanId:216 vlan 0 ip 192.168.10.2
Aug 23 10:44:18 :103060: <3616> <DBUG> |ike| ike_phase_1.c:ike_phase_1_send_ID:1837 with SwitchIP 192.168.10.2
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| ike_phase_1_send_ID xx.xxx.xxx.xxx
Aug 23 10:44:18 :103060: <3616> <DBUG> |ike| exchange.c:exchange_negotiation_state_inprog:2916 Ipsec map default-local-master-ipsecmap is marked negotiation-inprogress
Aug 23 10:44:18 :103063: <3616> <DBUG> |ike| xx.xxx.xxx.xxx:4500-> message_recv: invalid message id
Aug 23 10:44:18 :103054: <3616> <INFO> |ike| Dropping IKE message drop from xx.xxx.xxx.xxx 4500 due to notification type:INVALID_MESSAGE_ID
Aug 23 10:44:23 :103063: <3616> <DBUG> |ike| IKE2_updateSadb retransmit exchange timenow:36070382 Exch-timestamp:36065355 retrans:3800
Aug 23 10:44:23 :103063: <3616> <DBUG> |ike| spi={93616d1e0a3b0ad4 0000000000000000} np=SA
Aug 23 10:44:23 :103063: <3616> <DBUG> |ike| exchange=IKE_SA_INIT msgid=0 len=316
Aug 23 10:44:23 :103063: <3616> <DBUG> |ike| SEND 316 bytes to xx.xxx.xxx.xxx(500) (36070.383)

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: