CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E


Results 1 to 2 of 2

Thread: Checkpoint send wrong Proxy-ID in phase 2 proposal

  1. #1
    Join Date
    Rep Power

    Default Checkpoint send wrong Proxy-ID in phase 2 proposal

    I deploy the VPN IPSec between Checkpoint 5400 Cluster Active/Active and Cisco ASR1000.
    The topology like that: (Int_LAN Cisco (Ext: --------- (Ext Virtual IP: CP cluster (Int Lan:

    The log in Cisco device
    May 10 04:29:25.636: IPSEC(validate_proposal_request): proposal part #1,
      (key eng. msg.) INBOUND local=, remote=,
        protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel), 
        lifedur= 0s and 0kb, 
        spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
    May 10 04:29:25.636: ISAKMP-ERROR: (44079):IPSec policy invalidated proposal with error 32
    May 10 04:29:25.637: ISAKMP-ERROR: (44079):phase 2 SA policy not acceptable! (local remote
    May 10 04:29:25.637: ISAKMP: (44079):set new node 1037004474 to QM_IDLE      
    May 10 04:29:25.637: ISAKMP: (44079):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    	spi 9223511692413063920, message ID = 1037004474
    QM packet 1 (16:22:35) -  Fri May 11 2018
    ( - (
    Transport:		UDP (IPv4)
    PeerIP:			ac1e0105
    PeerPort:		500
    Peer Name:		bv-wan-p04
    ==> Sent to peer
    As the log on Cisco and CP IKEview, we saw that the CP sent wrong Proxy-ID in proposal phase 2.
    But it very strange as orther case i viewed on forum and Checkpoint Sk. The proxy-id is the external IP ???

    I think this symptom related the NAT policy, but I already unchecked the Disable NAT on VPN Community and delete all NAT rule.

    Please support to reslove this case.

  2. #2
    Join Date
    DFW, TX
    Rep Power

    Default Re: Checkpoint send wrong Proxy-ID in phase 2 proposal

    Do you have the "permanent tunnels" option enabled?

Similar Threads

  1. Replies: 0
    Last Post: 2017-08-10, 06:09
  2. CSR file - wrong key length and wrong SHA algorithm
    By Mariusz1 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 7
    Last Post: 2017-02-15, 03:53
  3. Replies: 0
    Last Post: 2011-09-25, 00:25
  4. Messages in phase 1 & phase 2 of a VPN
    By BungyTheTiff in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2007-05-29, 05:29


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts