Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7491
Views
0
Helpful
4
Replies

IKEv2 site 2 site vpn between ASA and CheckPoint

Marius Gunnerud
VIP
VIP

‎10-10-2016 06:51 AM

I am having issues getting an IKEv2 site to site vpn setup between ASA 5525 (version 9.2(4)5 and checkpoing (R77).  I only have access to the ASA side.

We are getting authentication failed error in debugs but have confirmed that the PSK is correct.  Could this be a compatibility issue between IKEv2 on the ASA and IKEv2 on CheckPoint?  I wouldn't think so but it is the only explanation I can see at this point in time.

crypto ipsec ikev2 ipsec-proposal PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-384

crypto map outside_map 63 match address outside_cryptomap_24
crypto map outside_map 63 set pfs group19
crypto map outside_map 63 set peer xxx.xxx.xxx.xxx
crypto map outside_map 63 set ikev2 ipsec-proposal PROPOSAL

crypto ikev2 policy 50
encryption aes-256
integrity sha384
group 19
prf sha384
lifetime seconds 86400

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx general-attributes
default-group-policy l2l_Materna_GrpPolicy
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

(318): REAL Decrypted packet:(318): Data: 8 bytes
(318): NOTIFY(AUTHENTICATION_FAILED)(318): Next payload: NONE, reserved: 0x0, length: 8
(318): Security protocol id: Unknown - 0, spi size: 0, type: AUTHENTICATION_FAILED
(318):
(318): Decrypted packet:(318): Data: 88 bytes
IKEv2-PROTO-5: (318): SM Trace-> SA: I_SPI=F9F272BECA264AD4 R_SPI=D87E22F6065BA6E8 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (318): Action: Action_Null
IKEv2-PROTO-5: (318): SM Trace-> SA: I_SPI=F9F272BECA264AD4 R_SPI=D87E22F6065BA6E8 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (318): Process auth response notify
IKEv2-PROTO-1: (318):
IKEv2-PROTO-5: (318): SM Trace-> SA: I_SPI=F9F272BECA264AD4 R_SPI=D87E22F6065BA6E8 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL
IKEv2-PROTO-2: (318): Auth exchange failed
IKEv2-PROTO-1: (318): Auth exchange failed
IKEv2-PROTO-1: (318): Auth exchange failed
IKEv2-PROTO-5: (318): SM Trace-> SA: I_SPI=F9F272BECA264AD4 R_SPI=D87E22F6065BA6E8 (I) MsgID = 00000001 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: (318): SM Trace-> SA: I_SPI=F9F272BECA264AD4 R_SPI=D87E22F6065BA6E8 (I) MsgID = 00000001 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: (318): SM Trace-> SA: I_SPI=F9F272BECA264AD4 R_SPI=D87E22F6065BA6E8 (I) MsgID = 00000001 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-2: (318): Abort exchange
IKEv2-PROTO-2: (318): Deleting SA

--
Please remember to select a correct answer and rate helpful posts
Labels:
0 Helpful
4 Replies 4

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎10-10-2016 08:38 AM

Hi Marius,

Remote logs would have helped.

To remediate this, please disable peer-id-validate check under the
tunnel-group and see if the tunnel comes up fine after that:

tunnel-group <> type ipsec-l2l

tunnel-group <> ipsec-attributes

peer-id-validate nocheck

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Aditya Ganjoo

‎10-11-2016 01:18 AM

Hi Aditya,

Thanks for you reply.  I have already tried disabling peer ID validation with no success.

14:56:42.305260 IP xxx.xxx.xxx.xxx.static.cust.company2.com.isakmp > styx.company1.de.isakmp: isakmp: phase 1 R inf

14:56:46.270642 IP styx.company1.de.isakmp > xxx.xxx.xxx.xxx.static.cust.company2.com.isakmp: isakmp: phase 1 I ident

14:56:46.305110 IP xxx.xxx.xxx.xxx.static.cust.company2.com.isakmp > styx.company1.de.isakmp: isakmp: phase 1 R inf

14:56:50.271814 IP styx.company2.de.isakmp > xxx.xxx.xxx.xxx.static.cust.company2.com.isakmp: isakmp: phase 1 I ident

14:56:50.306665 IP xxx.xxx.xxx.xxx.static.cust.company2.com.isakmp > styx.company1.de.isakmp: isakmp: phase 1 R inf

14:56:54.272995 IP styx.company1.de.isakmp > xxx.xxx.xxx.xxx.static.cust.company2.com.isakmp: isakmp: phase 1 I ident

14:56:54.307531 IP xxx.xxx.xxx.xxx.static.cust.company2.com.isakmp > styx.company1.de.isakmp: isakmp: phase 1 R inf

14:57:26.776636 IP styx.company1.de.isakmp > xxx.xxx.xxx.xxx.static.cust.company2.com.isakmp: isakmp: phase 1 I #34[]

14:57:26.825508 IP xxx.xxx.xxx.xxx.static.cust.company2.com.isakmp > styx.company1.de.isakmp: isakmp: phase 1 R #34[]

14:57:26.827692 IP styx.company1.de.isakmp > xxx.xxx.xxx.xxx.static.cust.company2.com.isakmp: isakmp: phase 2/others I #35[]

14:57:26.862739 IP xxx.xxx.xxx.xxx.static.cust.company2.com.isakmp > styx.company1.de.isakmp: isakmp: phase 2/others R #35[] à This should be the Authentication Failure package

14:57:26.863052 IP styx.company1.de.isakmp > xxx.xxx.xxx.xxx.static.cust.company2.com.isakmp: isakmp: phase 2/others I #37[]

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

g-hopkinson
Level 1
Level 1
In response to Marius Gunnerud

‎12-01-2016 03:37 AM

Hi,

Did you manage to resolve this, as we have a similar issue.  Our ASA is running 9.2(4)8.  We have been told an upgrade to 9.4 might sort it out but we have no real information as to why.

Regards.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to g-hopkinson

‎12-12-2016 05:34 AM

We had to drop the integrity value to 256 for it to work.  Have not tested upgrading to 9.4 so don't know if that will solve the issue.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents