The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Site-to-Site VPN cannot be established with IKEv2 on VSec for Azure / CloudGuard for Azure
Technical Level
Solution ID
sk122675
Technical Level
Product
CloudGuard for Azure, vSEC for Azure, IPSec VPN
Version
R77.30, R80.10, R80.20
OS
Gaia
Platform / Model
Azure
Date Created
26-Mar-2018
Last Modified
07-May-2019
Symptoms
Site-to-Site VPN cannot be established with IKEv2 on VSec for Azure / CloudGuard for Azure
vpnd.elg shows the following:
[ 8217][11 Jan 13:16:31][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with [IP address], which is a member interface
[ 8217][11 Jan 13:16:31][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with [IP address], which is a member interface
[ 8217][11 Jan 13:16:31][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with [IP address], which is a member interface
[ 8217][11 Jan 13:16:31][ikev2] ikeSimpOrder::getMyIpAddr: disregarding interface with [IP address], which is a member interface
[ 8217][11 Jan 13:16:31][ikev2] ikeSimpOrder::getMyIpAddr: found 0 interfaces (order 2545, ref count 1).
[ 8217][11 Jan 13:16:31][ikev2] natTraversalHandler::createNatDetectSource: failed to get my interfaces ip addr.
[ 8217][11 Jan 13:16:31][ikev2] Exchange::startPrepareMessage: error encountered. has notifications to send: 0
[ 8217][11 Jan 13:16:31][ikev2] Message::~Message: entering
[ 8217][11 Jan 13:16:31][ikev2] Exchange::setStatus: Changing status from: initial to: failure (final)..
No traffic is seen on port 500 or 4500 on the external interface.
Cause
There is an incompatibility between IKEv2 and vSec for Azure/CloudGuard for Azure.
As a result, a VIP for the cluster is not found. The VPN tunnel then goes down because the peers cannot exchange keys.