Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
868
Views
0
Helpful
2
Replies

VPN site to site

iameo
Level 1
Level 1

‎05-23-2023 11:47 AM

hi all, 

i have a vpn site to site configured on Fire Power 1010 , i created two network object, local and remote to create a rule for allow from local to remote and remote to local. I created a nat rule tath dosent change a source and destionation address but the tunnel dosent come up.. 

NAT RULE 

iameo_0-1684866803879.png

Access-Control

iameo_2-1684866885756.png

CRYPTO CONFIG 

iameo_3-1684867009567.png

NAT CONFIG 

iameo_4-1684867146070.png

 

and this is a debug of ikev2 platforn and protocol 

> IKEv2-PLAT-4: Received PFKEY Acquire SA for SPI 0x0, error FALSE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: attempting to find tunnel group for IP: 34.65.4.241
IKEv2-PLAT-4: mapped to tunnel group 34.65.4.241 using peer IP
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: my_auth_method = 2
IKEv2-PLAT-4: supported_peers_auth_method = 2
IKEv2-PLAT-4: P1 ID = 0
IKEv2-PLAT-4: Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: Received PFKEY SPI callback for SPI 0x85EFA2C8, error FALSE
IKEv2-PLAT-4:
IKEv2 received all requested SPIs from CTM to initiate tunnel.
IKEv2-PLAT-4: tp_name set to:
IKEv2-PLAT-4: tg_name set to: 34.65.4.241
IKEv2-PLAT-4: tunn grp type set to: L2L
IKEv2-PLAT-7: New ikev2 sa request admitted
IKEv2-PLAT-7: Incrementing outgoing negotiating sa count by one
IKEv2-PROTO-7: (7): SM Trace-> SA: I_SPI=62FB6A9B7DBC0C99 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (7): SM Trace-> SA: I_SPI=62FB6A9B7DBC0C99 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (7): SM Trace-> SA: I_SPI=62FB6A9B7DBC0C99 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (7): Setting configured policies
IKEv2-PROTO-7: (7): SM Trace-> SA: I_SPI=62FB6A9B7DBC0C99 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (7): SM Trace-> SA: I_SPI=62FB6A9B7DBC0C99 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (7): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 20
IKEv2-PROTO-4: (7): Request queued for computation of DH key
IKEv2-PROTO-7: (7): SM Trace-> SA: I_SPI=62FB6A9B7DBC0C99 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (7): SM Trace-> SA: I_SPI=62FB6A9B7DBC0C99 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (7): Action: Action_Null
IKEv2-PROTO-7: (7): SM Trace-> SA: I_SPI=62FB6A9B7DBC0C99 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (7): SM Trace-> SA: I_SPI=62FB6A9B7DBC0C99 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (7): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (7): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 7
(7): AES-CBC(7): SHA256(7): SHA256(7): DH_GROUP_384_ECP/Group 20(7): DH_GROUP_2048_MODP/Group 14(7): DH_GROUP_1536_MODP/Group 5(7): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-7: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-7: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-7: Construct Notify Payload: IKEV2_FRAGMENTATION_SUPPORTEDIKEv2-PROTO-7: Construct Vendor Specific Payload: FRAGMENTATION(7):
IKEv2-PROTO-4: (7): Sending Packet [To 34.65.4.241:500/From 192.168.2.3:500/VRF i0:f0]
(7): Initiator SPI : 62FB6A9B7DBC0C99 - Responder SPI : 0000000000000000 Message id: 0
(7): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (7): Next payload: SA, version: 2.0 (7): Exchange type: IKE_SA_INIT, flags: INITIATOR (7): Message id: 0, length: 438(7):
Payload contents:
(7): SA(7): Next payload: KE, reserved: 0x0, length: 72
(7): last proposal: 0x0, reserved: 0x0, length: 68
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 7(7): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(7): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(7): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(7): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
(7):(7): last transform: 0x3, reserved: 0x0: length: 12
typIKEv2-PLAT-4: Received PFKEY Acquire SA for SPI 0x0, error FALSE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: attempting to find tunnel group for IP: 34.65.4.241
IKEv2-PLAT-4: mapped to tunnel group 34.65.4.241 using peer IP
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: my_auth_method = 2
IKEv2-PLAT-4: supported_peers_auth_method = 2
IKEv2-PLAT-4: P1 ID = 0
IKEv2-PLAT-4: Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: Received PFKEY SPI callback for SPI 0x302B683C, error FALSE
IKEv2-PLAT-4:
IKEv2 received all requested SPIs from CTM to initiate tunnel.
IKEv2-PLAT-4: tp_name set to:
IKEv2-PLAT-4: tg_name set to: 34.65.4.241
IKEv2-PLAT-4: tunn grp type set to: L2L
IKEv2-PLAT-7: New ikev2 sa request admitted
IKEv2-PLAT-7: Incrementing outgoing negotiating sa count by one
IKEv2-PROTO-7: (8): SM Trace-> SA: I_SPI=108FB82B0B70B9AD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (8): SM Trace-> SA: I_SPI=108FB82B0B70B9AD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (8): SM Trace-> SA: I_SPI=108FB82B0B70B9AD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (8): Setting configured policies
IKEv2-PROTO-7: (8): SM Trace-> SA: I_SPI=108FB82B0B70B9AD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (8): SM Trace-> SA: I_SPI=108FB82B0B70B9AD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (8): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 20
IKEv2-PROTO-4: (8): Request queued for computation of DH key
IKEv2-PROTO-7: (8): SM Trace-> SA: I_SPI=108FB82B0B70B9AD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (8): SM Trace-> SA: I_SPI=108FB82B0B70B9AD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (8): Action: Action_Null
IKEv2-PROTO-7: (8): SM Trace-> SA: I_SPI=108FB82B0B70B9AD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (8): SM Trace-> SA: I_SPI=108FB82B0B70B9AD R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (8): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (8): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 7
(8): AES-CBC(8): SHA256(8): SHA256(8): DH_GROUP_384_ECP/Group 20(8): DH_GROUP_2048_MODP/Group 14(8): DH_GROUP_1536_MODP/Group 5(8): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-7: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-7: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-7: Construct Notify Payload: IKEV2_FRAGMENTATION_SUPPORTEDIKEv2-PROTO-7: Construct Vendor Specific Payload: FRAGMENTATION(8):
IKEv2-PROTO-4: (8): Sending Packet [To 34.65.4.241:500/From 192.168.2.3:500/VRF i0:f0]
(8): Initiator SPI : 108FB82B0B70B9AD - Responder SPI : 0000000000000000 Message id: 0
(8): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (8): Next payload: SA, version: 2.0 (8): Exchange type: IKE_SA_INIT, flags: INITIATOR (8): Message id: 0, length: 438(8):
Payload contents:
(8): SA(8): Next payload: KE, reserved: 0x0, length: 72
(8): last proposal: 0x0, reserved: 0x0, length: 68
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 7(8): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(8): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(8): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(8): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
(8):(8): 7b d5 49 4a
IKEv2-PROTO-7: Parse Notify Payload: NAT_IKEv2-PLAT-4: Received PFKEY Acquire SA for SPI 0x0, error FALSE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: attempting to find tunnel group for IP: 34.65.4.241
IKEv2-PLAT-4: mapped to tunnel group 34.65.4.241 using peer IP
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: my_auth_method = 2
IKEv2-PLAT-4: supported_peers_auth_method = 2
IKEv2-PLAT-4: P1 ID = 0
IKEv2-PLAT-4: Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-7: INVALID PSH HANDLE
IKEv2-PLAT-4: Received PFKEY SPI callback for SPI 0xFAB03CF9, error FALSE
IKEv2-PLAT-4:
IKEv2 received all requested SPIs from CTM to initiate tunnel.
IKEv2-PLAT-4: tp_name set to:
IKEv2-PLAT-4: tg_name set to: 34.65.4.241
IKEv2-PLAT-4: tunn grp type set to: L2L
IKEv2-PLAT-7: New ikev2 sa request admitted
IKEv2-PLAT-7: Incrementing outgoing negotiating sa count by one
IKEv2-PROTO-7: (9): SM Trace-> SA: I_SPI=2CC1C0322334109B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (9): SM Trace-> SA: I_SPI=2CC1C0322334109B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (9): SM Trace-> SA: I_SPI=2CC1C0322334109B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (9): Setting configured policies
IKEv2-PROTO-7: (9): SM Trace-> SA: I_SPI=2CC1C0322334109B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (9): SM Trace-> SA: I_SPI=2CC1C0322334109B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (9): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 20
IKEv2-PROTO-4: (9): Request queued for computation of DH key
IKEv2-PROTO-7: (9): SM Trace-> SA: I_SPI=2CC1C0322334109B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (9): SM Trace-> SA: I_SPI=2CC1C0322334109B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (9): Action: Action_Null
IKEv2-PROTO-7: (9): SM Trace-> SA: I_SPI=2CC1C0322334109B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (9): SM Trace-> SA: I_SPI=2CC1C0322334109B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (9): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (9): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 7
(9): AES-CBC(9): SHA256(9): SHA256(9): DH_GROUP_384_ECP/Group 20(9): DH_GROUP_2048_MODP/Group 14(9): DH_GROUP_1536_MODP/Group 5(9): DH_GROUP_1024_MODP/Group 2IKEv2-PROTO-7: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-7: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-7: Construct Notify Payload: IKEV2_FRAGMENTATION_SUPPORTEDIKEv2-PROTO-7: Construct Vendor Specific Payload: FRAGMENTATION(9):
IKEv2-PROTO-4: (9): Sending Packet [To 34.65.4.241:500/From 192.168.2.3:500/VRF i0:f0]
(9): Initiator SPI : 2CC1C0322334109B - Responder SPI : 0000000000000000 Message id: 0
(9): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (9): Next payload: SA, version: 2.0 (9): Exchange type: IKE_SA_INIT, flags: INITIATOR (9): Message id: 0, length: 438(9):
Payload contents:
(9): SA(9): Next payload: KE, reserved: 0x0, length: 72
(9): last proposal: 0x0, reserved: 0x0, length: 68
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 7(9): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(9): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(9): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(9): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
(9):(9): 4f b1 98 8d 12 3a 9a 03 9f 13 67 91 10 25 5b b4
(9):

Can anyone help me figure out what the problem is?

 

Thank you in advance! 

Labels:
0 Helpful
2 Replies 2

Sheraz.Salim
VIP
VIP

‎05-23-2023 02:38 PM

Looking into your debug it seem you are sending the traffic but the remote side is not responding at all.

For example

SM Trace-> SA: I_SPI=2CC1C0322334109B R_SPI=0000000000000000

as you are initiator we see the SPI values but the remote side is not responding at all. Is the remote side is configured yet?

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents