vpn problem with overlapping ip range

**Opera** · 2015-01-26

Hello,

I need help in finding out whats wrong with my vpn setup with overlapping range. I am using openserver checkpoint 77.20 and the vpn is between me and cisco ASA 5555.
I have created two network objects with NATED addresses and using that one as encryption domains in the vpn setup. But when i try to ping from my side to the other side so getting wiered problem.

First i get rejected messges with IKE failure no response from peer and than in the next message i get drop with reason "Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information"

I have checked the configuration of the other side and it looks ok.

need help if anybody can help me in this issue.

**slowfood27** · 2015-01-26

No valid SA means that your encryption parameters do not match.
Just as a reminder: your local encryption domain (A) contains ALL IP Addresses you wanna present to your VPN peering partner, regardless if there is NAT in place or not.
The peering partners VPN encryption domain (B) contains ALL IP Addresses he is presenting to you. A and B must match at both ends.
And there are as well some other VPN parameters such as encryption methods, hash algorithms, lifetime, shared secret, etc. which MUST match as well at both ends.

In order to get more info you should turn on IKE and VPN Debugging

at expert mode level on the gw (bash)
vpn debug on (off to stop)
vpn debug ikeon (ikeoff to stop)

the debugging information is written to the 2 logfiles $FWDIR/log/vpnd.elg and $FWDIR/log/ike.elg

You can read the ike.elg into the IKEView utility (included in the InfoView Utility you can download from Check Point Support) and check what's going on.

HTH

**Opera** · 2015-01-27

Originally Posted by slowfood27

No valid SA means that your encryption parameters do not match.
Just as a reminder: your local encryption domain (A) contains ALL IP Addresses you wanna present to your VPN peering partner, regardless if there is NAT in place or not.
The peering partners VPN encryption domain (B) contains ALL IP Addresses he is presenting to you. A and B must match at both ends.
And there are as well some other VPN parameters such as encryption methods, hash algorithms, lifetime, shared secret, etc. which MUST match as well at both ends.

In order to get more info you should turn on IKE and VPN Debugging

at expert mode level on the gw (bash)
vpn debug on (off to stop)
vpn debug ikeon (ikeoff to stop)

the debugging information is written to the 2 logfiles $FWDIR/log/vpnd.elg and $FWDIR/log/ike.elg

You can read the ike.elg into the IKEView utility (included in the InfoView Utility you can download from Check Point Support) and check what's going on.

HTH

I have enabled vpn debug ikeon and also vpn debug on. When i look into the ike.elg file in ikeview tool, there i find only P1 Main Mode messages with status failed, no Quick Mode messages. I have checked packet1 and packet 2 to see what is happening there and i can see that packet sent to peer with suggestions is same as packet 2 received from peer with suggestions, but still main mode fails.

Packet 1. Sent to Peer:

Transform Payload - KEY_IKE

Next Payload: NONE
Reserved: 0
Length: 00 28 (40)
TransNum: 1
TransId: 1
Reserved2: 00 00 (0)

Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Authentication Method: Pre-shared key
Group Description: 1536-bit MODP group
Life Type: Seconds
Life Duration: 86400

packet 2 Received from Peer

Transform Payload - KEY_IKE

Next Payload: NONE
Reserved: 0
Length: 00 28 (40)
TransNum: 1
TransId: 1
Reserved2: 00 00 (0)

Encryption Algorithm: AES-CBC
Key Length: 256
Hash Algorithm: SHA1
Group Description: 1536-bit MODP group
Authentication Method: Pre-shared key
Life Type: Seconds
Life Duration: 86400

Please any help is appreciated.

Best regards

**mcnallym** · 2015-01-27

OK if Phase 1 is failing then you aren't going to succeed with Phase 2 establishment.

Double Check that the Encryption Settings are the Same, is the PSK the same at both ends
Any Logs in Tracker relating to Main Mode such as Invalid Payload etc

Once you get Phase 1 to establish then worry about Phase 2

**Opera** · 2015-01-27

Originally Posted by mcnallym

OK if Phase 1 is failing then you aren't going to succeed with Phase 2 establishment.

Double Check that the Encryption Settings are the Same, is the PSK the same at both ends
Any Logs in Tracker relating to Main Mode such as Invalid Payload etc

Once you get Phase 1 to establish then worry about Phase 2

The encryption settings are same on both sides, and shared secret is also same. No logs that says invalid Payload.

Regards

**mcnallym** · 2015-01-27

Originally Posted by Opera

The encryption settings are same on both sides, and shared secret is also same. No logs that says invalid Payload.

Regards

Then what sort of message are you getting for the Main Mode failure?

At the moment if your Phase 1 is failing then need to get to the bottom of why your Phase 1 is failing. You won't be able to establish Phase 2 hence why you get the generic messages in the Tracker for the Traffic between the Enc Domains.

One thing I would definitely check is the IP address being used in the Phase 1 for your R77.20 System. How have you configured the VPN Link Selection for the Gateway. Are there other VPN's working from this Gateway?