3 Replies Latest reply on Feb 17, 2012 1:38 PM by sliedl

    VPN Traffic between MFE and CheckPoint Policy Mismatch

      I have a VPN gateway-to-gateway configured with the tunnel enabled. We need to configure a new service tunnel and traveling that always appears the same error when trying to connect.

       

      2011-12-07 11:28:39 -0500 f_isakmp_daemon a_vpn t_error p_major

      pid: 6647 logid: 0 cmd: 'ikmpd' hostname: smzfw2.panarello.com.br

      vpn_name: vpn_celesio cky_i: 9a34dc5969864b32 cky_r: 760049a3dc77af92

      msg_id: aaf3255e local_gw: 200.242.138.2 remote_gw: 194.37.87.1

      remote_id: 194.37.87.1 local_net: 178.15.1.220 remote_net: 10.140.1.130

      information: [detailed info]

        [error]

          QUICK_MODE exchange terminated - QUICK_MODE exchange processing failed

        [error]

          IPSEC (phase 2) policy mismatch

          [invalid local protected network]

            [configured local policy identities]

                IPV4_SUBNET-10.35.0.0/16

                IPV4_SUBNET-178.0.0.0/8

                IPV4_SUBNET-192.168.0.0/16

                IPV4_SUBNET-200.242.138.0/26

            [negotiated identity]

              IPV4_ADDR-178.15.1.220



      This VPN is closed between an MFE and CheckPoint.

        • 1. Re: VPN Traffic between MFE and CheckPoint Policy Mismatch
          sliedl

          You have this configured for your local networks in the VPN definition:

              [invalid local protected network]

                [configured local policy identities]

                    IPV4_SUBNET-10.35.0.0/16

                    IPV4_SUBNET-178.0.0.0/8

                    IPV4_SUBNET-192.168.0.0/16

                    IPV4_SUBNET-200.242.138.0/26

           

          The CheckPoint has this configured for its remote network(s), which should match your local networks:

                [negotiated identity]

                  IPV4_ADDR-178.15.1.220

           

          Either you delete your local networks and add 178.15.1.220/32 as your only local network or you have the other tunnel delete 178.15.1.220 and add the same networks in their 'remote networks' as you have there in your local network.

          • 2. Re: VPN Traffic between MFE and CheckPoint Policy Mismatch

            There have been attempting this. However it was showing error invalidates the remote network.

            • 3. Re: VPN Traffic between MFE and CheckPoint Policy Mismatch
              sliedl

              >> There have been attempting this. However it was showing error invalidates the remote network.

               

              Ok, keep pasting the errors from the audit and we'll see if we can get it working.

               

              $> acat -ke "area vpn"

              or

              $> showaudit -vk

              on the command line for VPN audits.

               

              Type 'area vpn' (no quotes) in the Fast Server Filter box in the GUI (Admin Console) Audit Viewing box to see the same thing.