CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 9 of 9

Thread: "Cannot identify peer for encrypted connection"

  1. #1
    Join Date
    2009-09-15
    Posts
    4
    Rep Power
    0

    Default "Cannot identify peer for encrypted connection"

    Hi,
    I have to set up a site-to-site VPN between my CP gateway, and a FORTIGATE 200A.
    When I ping one of the remote internal addresses ,SmartView Tracker is reports me the following error:
    "encryption failure: Cannot identify peer for encrypted connection (VPN error 01)"
    When I ping from the other side (the remote site), i get the same message but with (VPN error 04).

    I'm using NG R55 with AI HFA20.

    Any ideas?

    Thanks,
    Sandor

  2. #2
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    15

    Default Re: "Cannot identify peer for encrypted connection"

    Double-check all your encryption domains.

    Make sure you don't have any overlapping domains.

  3. #3
    Join Date
    2009-09-15
    Posts
    4
    Rep Power
    0

    Default Re: "Cannot identify peer for encrypted connection"

    I already did. I even executed the command vpn_ovelapencdom and it reported "No overlapping domains".

    Is this kind of error only related with overlapping encryption domains?

  4. #4
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    15

    Default Re: "Cannot identify peer for encrypted connection"

    Are your encryption domains setup correctly?

    For the network you are trying to reach, is it in the encryption domain of the remote firewall?

    Is your source address defined in the encryption domain of your local firewall?

  5. #5
    Join Date
    2007-01-04
    Location
    India
    Posts
    4
    Rep Power
    0

    Default Re: "Cannot identify peer for encrypted connection"

    Externally managed GW object should have external IP address on it...
    Cheers!

    CK
    CCMSE,CCSE,CCNP

  6. #6
    Join Date
    2009-09-15
    Posts
    4
    Rep Power
    0

    Default Re: "Cannot identify peer for encrypted connection"

    ok ok, i'm really new with this FW. I'm gonna give you some details in order you to be able to help me:

    My enc domain is a 10.16.0.0/13 subnet plus a 10.24.0.0/16. The remote's endpoint enc domain is 192.168.2.0/24.
    I have created an Interoperable device representing the remote FW. The topology of that device in my Checkpoint is:

    X.X.X.X as External
    192.168.2.0/24 Internal

    I select the option for "VPN domain" on this Interop Device that establishes "All IP address behind Gateway based on Topology information."

    My endpoint (not managed by myself) is configured to have as my enc domain the subnet 10.16.0.0/13 (excluding the 10.24.0.0/16. My enc domain is larger because I have other VPNs. anyway, i tried eliminating this subnet from my enc domain and i got the same results described below).

    Our Ipsec params are identical on both sides. However, I always get the same error when I ping one the remote servers:
    "encryption failure: Cannot identify peer for encrypted connection (VPN error code 01)"
    When I ping from the other side (the remote site), i get the same message but with (VPN error code 04).


    Thanks,
    Sandor

  7. #7
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    15

    Default Re: "Cannot identify peer for encrypted connection"

    Check your NAT config - are you doing any NAT for this VPN? Do you need to disable NAT for this VPN community?

  8. #8
    Join Date
    2009-09-15
    Posts
    4
    Rep Power
    0

    Default Re: "Cannot identify peer for encrypted connection"

    I have explicit rules to avoid NATting between the enc domains. Do I have to use NAT?? (i'm using tranditional mode) Thanks Sandor

  9. #9
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    15

    Default Re: "Cannot identify peer for encrypted connection"

    No, you do not necessarily have to use NAT, it depends on your network.

    It's just that using NAT can affect the encryption domains you choose.

    Doublecheck that your NAT exclusions are working correctly. Look at the logs too.

Similar Threads

  1. "Clear text packet should be encrypted" - No it should not on this interface!
    By upperaust in forum Check Point UTM-1 Appliances
    Replies: 3
    Last Post: 2010-02-12, 10:17
  2. R65 HFA40 changed "VPN Peer Gateway"
    By melipla in forum SmartView Tracker
    Replies: 0
    Last Post: 2009-05-20, 10:55
  3. encryption failure: Cannot identify peer for encrypted connection
    By mhernandez in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2008-07-03, 20:19
  4. Packets from Internet to Edge device dropped with "Should be encrypted message"
    By hotice_ in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 1
    Last Post: 2008-06-17, 07:57
  5. Dropped: "Connection_info: Connection contains real IP of NATed address"
    By hotice_ in forum NAT (Network Address Translation)
    Replies: 3
    Last Post: 2008-05-30, 06:12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •