Security e-Series
1832435 Members
3271 Online
110042 Solutions
New Discussion

MSR + Checkpoint site-to-site IPSec doesn't work

 
Pseudohash
New Member

MSR + Checkpoint site-to-site IPSec doesn't work

Hello Community,

 

we try to establish the IPSec tunnel between HPE roueter series MSR200 and Checkpoint firewall.

The tunnel initiated from MSR site can be establishe successfully.

The tunnel establishment initiated from Checkpoint site fail in Phase 2 Quick mode.

The MSR reject the request wich error message INVALID-ID-INFORMATION.

MSR configuration:

 

#
ipsec transform-set AES-256-SHA-256
 esp encryption-algorithm aes-cbc-256
 esp authentication-algorithm sha256
 pfs dh-group14
#

#
ipsec policy xxxxxxxxxxxxxxx 100 isakmp
 transform-set AES-256-SHA-256
 security acl name xxxxxxxxxxxxxxx
 remote-address 0.0.0.0
 ike-profile xxxxxxxxx
 sa duration time-based 3600
#
ike profile xxxxxxxx
 keychain xxxxxxxxxxxxx
 proposal 1
#
ike proposal 1
 encryption-algorithm aes-cbc-256
 dh group14
 authentication-algorithm sha256
 sa duration 28800
#
acl advanced name xxxxxxxx
 description ACL for crypto map IPSec_MAP 100
 rule 2 permit ip source x.x.x.x 0.0.0.255 destination x.x.x.x 0.0.0.7
#

 

Error shown on MSR debugging output:

 

MSR2004-48 IPSEC/7/EVENT:
The policy's acl or ike profile does not match the flow, Name = IPSecVPN_xxx, Seqnum = 100

 

 

Please suggest anything kindly.

Thanks!