I had previously done Cisco router to CheckPoint R80.30 gateway VPNs before without issue, but for whatever reason could not even establish phase 1 for this one. CheckPoint R80 VPN communities default to AES-256, SHA-1, Group 2, and 1-day timetime which is easy to match on the Cisco with this config:
crypto keyring mycheckpoint local-address GigabitEthernet0/0 pre-shared-key address 192.0.2.190 key abcdefghij1234567890 ! crypto isakmp policy 100 encr aes 256 authentication pre-share group 2 hash sha ! <--- default value lifetime 864000 ! <--- default value !
After verifying connectivity, doing packet captures, and multiple reboots on on both ends, IKE simply would not come up. On the Cisco ISR, debug crypto isakmp wasn’t especially helpful:
Jun 18 11:06:17.085: ISAKMP: (0):purging SA., sa=3246F97C, delme=3246F97C Jun 18 11:06:17.285: ISAKMP: (0):SA request profile is (NULL) Jun 18 11:06:17.285: ISAKMP: (0):Created a peer struct for 35.245.62.190, peer port 500 Jun 18 11:06:17.285: ISAKMP: (0):New peer created peer = 0x2CE62C3C peer_handle = 0x80000005 Jun 18 11:06:17.285: ISAKMP: (0):Locking peer struct 0x2CE62C3C, refcount 1 for isakmp_initiator Jun 18 11:06:17.285: ISAKMP: (0):local port 500, remote port 500 Jun 18 11:06:17.285: ISAKMP: (0):set new node 0 to QM_IDLE Jun 18 11:06:17.285: ISAKMP: (0):insert sa successfully sa = 2CE620E8 Jun 18 11:06:17.285: ISAKMP: (0):Can not start Aggressive mode, trying Main mode. Jun 18 11:06:17.285: ISAKMP: (0):found peer pre-shared key matching 192.0.2.190 Jun 18 11:06:17.285: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID Jun 18 11:06:17.285: ISAKMP: (0):constructed NAT-T vendor-07 ID Jun 18 11:06:17.285: ISAKMP: (0):constructed NAT-T vendor-03 ID Jun 18 11:06:17.285: ISAKMP: (0):constructed NAT-T vendor-02 ID Jun 18 11:06:17.285: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM Jun 18 11:06:17.285: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1 Jun 18 11:06:17.285: ISAKMP: (0):beginning Main Mode exchange Jun 18 11:06:17.285: ISAKMP-PAK: (0):sending packet to 192.0.2.190 my_port 500 peer_port 500 (I) MM_NO_STATE Jun 18 11:06:17.285: ISAKMP: (0):Sending an IKE IPv4 Packet. Jun 18 11:06:17.369: ISAKMP-PAK: (0):received packet from 192.0.2.190 dport 500 sport 500 Global (I) MM_NO_STATE Jun 18 11:06:17.369: ISAKMP-ERROR: (0):Couldn't find node: message_id 2303169274 Jun 18 11:06:17.369: ISAKMP-ERROR: (0):(0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1 Jun 18 11:06:17.369: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY Jun 18 11:06:17.369: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_I_MM1
The CheckPoint gave a more “useful” error:
Main Mode Failed to match proposal: Transform: AES-256, SHA1, Group 2 (1024 bit); Reason: Wrong value for: Authentication Method
This seemed to imply the CheckPoint was expecting certificate-based authentication rather than PSK. In traditional mode, the gateway is set by default for certificate only. But it’s not clear how this is configured in newer versions.
After poking around settings for quite a while, I simply deleted the VPN community in CheckPoint SmartConsole and re-created it. The connection then popped up immediately.
¯\_(ツ)_/¯