Policy-Based VPN (PBVPN) Fails to Establish IKE SA with OnPrem Checkpoint Device
search cancel

Policy-Based VPN (PBVPN) Fails to Establish IKE SA with OnPrem Checkpoint Device

book

Article ID: 334969

calendar_today

Updated On:

Products

VMware Cloud on AWS VMware Cloud on Dell EMC VMware NSX VMware NSX-T Data Center

Issue/Introduction

Symptoms:

  • OnPrem VPN Endpoint is a Checkpoint brand device.
  • VMC Networking & Security Console UI displays IKE SA Error for the PBVPN. The Tunnel will continually attempt to re-establish the IKE SA pairs and report a failure.
  • PBVPN is configured to use IKEv2.
  • The NSX Logs will contain errors mentioning "IKE_AUTH packet is missing IDr or AUTH payload"
  • IKE Fail Reason in the UI says "Invalid syntax" 

Cause

Misconfiguration of a Checkpoint device-level setting.

Resolution

Refer to Checkpoint Support KB - Site to Site using IKEv2 fails with "None of the traffic selectors match the connection" to find the Checkpoint approved method of resolving this issue.

Workaround:
Switch to using a Route Based VPN.

Powered by Wolken Software