CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 2 of 2

Thread: Checkpoint send wrong Proxy-ID in phase 2 proposal

  1. #1
    Join Date
    2018-05-11
    Posts
    1
    Rep Power
    0

    Default Checkpoint send wrong Proxy-ID in phase 2 proposal

    I deploy the VPN IPSec between Checkpoint 5400 Cluster Active/Active and Cisco ASR1000.
    The topology like that: (Int_LAN 192.168.255.0/24) Cisco (Ext: 172.30.1.5) --------- (Ext Virtual IP: 172.30.1.4) CP cluster (Int Lan: 192.168.50.0/24).

    The log in Cisco device
    Code:
    May 10 04:29:25.636: IPSEC(validate_proposal_request): proposal part #1,
      (key eng. msg.) INBOUND local= 172.30.1.5:0, remote= 172.30.1.4:0,
        local_proxy= 172.30.1.5/255.255.255.255/256/0,
        remote_proxy= 172.30.1.4/255.255.255.255/256/0,
        protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel), 
        lifedur= 0s and 0kb, 
        spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
    May 10 04:29:25.636: ISAKMP-ERROR: (44079):IPSec policy invalidated proposal with error 32
    May 10 04:29:25.637: ISAKMP-ERROR: (44079):phase 2 SA policy not acceptable! (local 172.30.1.5 remote 172.30.1.4)
    May 10 04:29:25.637: ISAKMP: (44079):set new node 1037004474 to QM_IDLE      
    May 10 04:29:25.637: ISAKMP: (44079):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    	spi 9223511692413063920, message ID = 1037004474
    IKEview
    Code:
    QM packet 1 (16:22:35) -  Fri May 11 2018
    
    ID:
    (172.30.1.4) - (172.30.1.5)
    
    Transport:		UDP (IPv4)
    PeerIP:			ac1e0105
    PeerPort:		500
    Peer Name:		bv-wan-p04
    
    ==> Sent to peer 172.30.1.5
    As the log on Cisco and CP IKEview, we saw that the CP sent wrong Proxy-ID in proposal phase 2.
    But it very strange as orther case i viewed on forum and Checkpoint Sk. The proxy-id is the external IP ???

    I think this symptom related the NAT policy, but I already unchecked the Disable NAT on VPN Community and delete all NAT rule.

    Please support to reslove this case.

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    244
    Rep Power
    12

    Default Re: Checkpoint send wrong Proxy-ID in phase 2 proposal

    Do you have the "permanent tunnels" option enabled?
    Zimmie

Similar Threads

  1. Replies: 0
    Last Post: 2017-08-10, 06:09
  2. CSR file - wrong key length and wrong SHA algorithm
    By Mariusz1 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 7
    Last Post: 2017-02-15, 03:53
  3. Replies: 0
    Last Post: 2011-09-25, 00:25
  4. Messages in phase 1 & phase 2 of a VPN
    By BungyTheTiff in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2007-05-29, 05:29

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •