The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
|
VPN Tunnel using IKEv2 does not establish when 'NULL' encryption algorithm is used
|
Technical Level
|
| Solution ID |
sk167902 |
| Technical Level |
|
| Product |
IPSec VPN |
| Version |
R80.20, R80.30, R80.40 |
| Date Created |
21-Jul-2020
|
| Last Modified |
03-Feb-2021
|
Symptoms
- VPN Tunnel does not establish when using IKEv2 and NULL as encryption algorithm.
- 3rd party peers respond with "No proposal chosen" during Child SA creation, NULL is used in the proposal.
- In VPND debugs, see the following when attempting to establish VPN between Check Point Security Gateways:
[vpnd ...]@gw1[DATE TIME][ikev2] ikeAuthExchange_r::updateSA: Updating esp sa.
[vpnd ...]@gw1[DATE TIME][ikev2] dbCommunityHandle::getChildSARekey: entering
[vpnd ...]@gw1[DATE TIME][ikev2] childsaKeyingMaterialHandler::updateSa: Sanity check failure. Encryption and decryption keys are identical
[vpnd ...]@gw1[DATE TIME][ikev2] ikeEvent::handled: Event Diffie-Hellman Event could not be handled by exchange 8
[vpnd ...]@gw1[DATE TIME][ikev2] ikeAuthExchange_r::eventTerminated: entering. event: Diffie-Hellman Event.
[vpnd ...]@gw1[DATE TIME][ikev2] ikeDHEvent::~ikeDHEvent: entering. (exchange 8)
[vpnd ...]@gw1[DATE TIME][ikev2] Exchange::setStatus: Changing status from: initial to: failure (final)..
[vpnd ...]@gw1[DATE TIME][ikev2] Exchange::setStatus: Status is already final (failure (final)) and cannot be changed to failure (final)..
Cause
There was a code change for FIPS Certification. Check to make sure that encryption and decryption keys are not the same and edge case for when NULL is used as encryption algorithm was left out. Because there are technically no keys to check, the check will fail.
Solution
|
Note: To view this solution you need to
Sign In
.
|
