iked Exchange Failed - Reason=Matching gateway endpoint not found.

I've come across a diagnostics message in the Traffic Monitor and haven't had much luck identifying the source/cause of it. I believe it has to do with a BOVPN configuration, but I'm having difficulties identifying what configuration is causing it.

The following diagnostic message is spamming the traffic monitor and if possible, I would like to stop it. Could someone point me in the right direction?

2020-05-02 11:35:46 iked (SITE.IP<->REMOTE.IP)IKEv2 IKE_SA_INIT exchange from REMOTE.IP:500 to SITE.IP:500 failed. Reason=Matching gateway endpoint not found.

Answers

  • Is the remote IP addr one to which you have a BOVPN?
    If not, it could be that the remote IP addr is trying to create an IPSec connection to your firewall.
    If this is the case, the only way to stop these connection attempts is to
    1) unselect "Enable built-in IPSec policy"
    2) add an IPSec packet filter From: Any To: Firebox
    3) add an Any packet filter, From: the REMOTE.IP To: any-external
    Make sure that this policy is above the IPSec policy - use manual order mode
    On Logging on this policy - unselect "Send a log message" to not see denies for packets from REMOTE.IP

  • The remote IP is a BOPVN (Virtual Interface). which appears to be configured properly and is active, transmitting data without issue. Given this, I'm confused as to why it's stating it can't find the endpoint gateway. An just to verify, the endpoint gateway is the local SITES.IP gateway as configured, right?

  • Consider opening a support incident to get help from a WG rep in understanding the cause of these log messages.

  • James_CarsonJames_Carson WatchGuard Representative

    Hi @Muzixs

    It's likely that the IP that the WatchGuard is receiving in the traffic is not what's actually in the VPN gateway/endpoint settings. If the WatchGuard is turning around and initiating the tunnel after receiving that, and it works, it'd keep the tunnel up.

    compare the (SITE.IP<->REMOTE.IP) to what's actually in your VPN gateway settings, do they match exactly?

    -James Carson
    WatchGuard Customer Support

Sign In to comment.