L2L VPN: Received ID did not match the configured remote gateway endpoint ID

pinetreee · September 2020

WatchGuard T35 12.5 (Build 599856)
Cisco ASA 5516 iOS 9.12

Branch office VPN can't be established, messages below:
--------begin of monitoring message--------
2:58:40 iked (96.X.X.X<->216.Y.Y.Y)******** RECV an IKE packet at 96.X.X.X:500(socket=14 ifIndex=4) from Peer 216.Y.Y.Y:500 ********
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)Received IKEv2 "IKE_SA_INIT request" message with message-ID:0 length:718 SPI[i=1239102a78460187 r=0000000000000000]
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)"IKE_SA_INIT request" message has 9 payloads [ SA(sz=256) KE(sz=200) NONCE(sz=68) V(sz=23) V(sz=59) N(sz=28) N(sz=28) N(sz=8) V(sz=20)]
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)Found matching IKE policy 'CFASA' for peer '216.Y.Y.Y:500'
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)ikeSA(0x103afe58) state change: UNKNOWN ==> CREATED, reason: "Init SA state"
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)use ikePcy(CFASA) to update ikeSA(0x103afe58)
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)dispatch the received IKE_SA_INIT request message - IkeSA(0x103afe58)'s state=CREATED
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)ENCR: found the matched ENCR algo:ENCR_AES_CBC with AES-key-length:256
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)IKE proposal[#1] is matched - ENCR_AES_CBC/AUTH_HMAC_SHA1_96/PRF_HMAC_SHA1/DH_GROUP5
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)The peer is NOT behind NAT
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)The local is NOT behind NAT
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)non-supported notify type: 16430(UNKNOWN), ignore it
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)Processed IKE_SA_INIT request message successfully
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)'IKE_SA_INIT response' message created successfully. length:416
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)Sent out IKE_SA_INIT response message (msgId=0) from 96.X.X.X:500 to 216.Y.Y.Y:500 for 'CFASA' gateway endpoint successfully.
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)ikeSA(0x103afe58) state change: CREATED ==> SA_INIT_R, reason: "IKE_SA_INIT response is Out"
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)ikeSA(0x103afe58)'s msgIdRecv is updated: 0 -> 1
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)******** RECV an IKE packet at 96.X.X.X:500(socket=14 ifIndex=4) from Peer 216.Y.Y.Y:500 ********
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)Received IKEv2 "IKE_AUTH request" message with message-ID:1 length:476 SPI[i=1239102a78460187 r=1c29594712cd7987]
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)"IKE_AUTH request" message has 1 payloads [ ENCR(sz=448)]
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)Got IKE policy 'CFASA' from ikeSA(0x103afe58 id:00000000 state:'SA_INIT_R')
2020-09-21 12:58:40 Allow 192.168.102.100 173.1942020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)"IKE_AUTH request" message has 9 payloads [ V(sz=20) IDi(sz=26) AUTH(sz=28) SA(sz=236) TSi(sz=40) TSr(sz=40) N(sz=8) N(sz=8) N(sz=8)]
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)IKEv2 "IKE_AUTH request"'s decrypted message contains 9 payloads [ V(sz=20) IDi(sz=26) AUTH(sz=28) SA(sz=236) TSi(sz=40) TSr(sz=40) N(sz=8) N(sz=8) N(sz=8)]
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)dispatch the received IKE_AUTH request message - IkeSA(0x103afe58)'s state=SA_INIT_R
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)IKEv2 IKE_AUTH exchange from 216.Y.Y.Y:500 to 96.X.X.X:500 failed. Gateway-Endpoint='CFASA'. Reason=Received ID did not match the configured remote gateway endpoint ID.
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)sent the Notify message from 96.X.X.X:500 to 216.Y.Y.Y:500
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)ikeSA(0x103afe58)'s msgIdRecv is updated: 1 -> 2
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)Deleting ikeSA(obj=0x103afe58) state=SA_INIT_R actions:0x00000000 gateway-endpoint=CFASA, caller=ike2_ProcessData, reason="Received ID did not match the configured remote gateway endpoint ID."
2020-09-21 12:58:40 iked (96.X.X.X<->216.Y.Y.Y)Free ikeSA(obj=0x103afe58 state=IKESA_DELETED)
2020-09-21 12:58:41 iked recv WGAPI_EVENT_DHCP_FILE_CHANGE notification
2020-09-21 12:58:41 iked Generated hash for /etc/re2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)******** RECV an IKE packet at 96.X.X.X:500(socket=14 ifIndex=4) from Peer 216.Y.Y.Y:500 ********
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)Received IKEv2 "IKE_SA_INIT request" message with message-ID:0 length:718 SPI[i=8f862700a321320c r=0000000000000000]
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)"IKE_SA_INIT request" message has 9 payloads [ SA(sz=256) KE(sz=200) NONCE(sz=68) V(sz=23) V(sz=59) N(sz=28) N(sz=28) N(sz=8) V(sz=20)]
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)Found matching IKE policy 'CFASA' for peer '216.Y.Y.Y:500'
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)ikeSA(0x103afe58) state change: UNKNOWN ==> CREATED, reason: "Init SA state"
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)use ikePcy(CFASA) to update ikeSA(0x103afe58)
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)dispatch the received IKE_SA_INIT request message - IkeSA(0x103afe58)'s state=CREATED
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)ENCR: found the matched ENCR algo:ENCR_AES_CBC with AES-key-length:256
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)IKE proposal[#1] is matched - ENCR_AES_CBC/AUTH_HMAC_SHA1_96/PRF_HMAC_SHA1/DH_GROUP5
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)The peer is NOT behind NAT
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)The local is NOT behind NAT
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)non-supported notify type: 16430(UNKNOWN), ignore it
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)Processed IKE_SA_INIT request message successfully
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)'IKE_SA_INIT response' message created successfully. length:416
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)Sent out IKE_SA_INIT response message (msgId=0) from 96.X.X.X:500 to 216.Y.Y.Y:500 for 'CFASA' gateway endpoint successfully.
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)ikeSA(0x103afe58) state change: CREATED ==> SA_INIT_R, reason: "IKE_SA_INIT response is Out"
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)ikeSA(0x103afe58)'s msgIdRecv is updated: 0 -> 1
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)******** RECV an IKE packet at 96.X.X.X:500(socket=14 ifIndex=4) from Peer 216.Y.Y.Y:500 ********
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)Received IKEv2 "IKE_AUTH request" message with message-ID:1 length:476 SPI[i=8f862700a321320c r=dbee8bec1ebebd85]
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)"IKE_AUTH request" message has 1 payloads [ ENCR(sz=448)]
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)Got IKE policy 'CFASA' from ikeSA(0x103afe58 id:00000000 state:'SA_INIT_R')
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)"IKE_AUTH request" message has 9 payloads [ V(sz=20) IDi(sz=26) AUTH(sz=28) SA(sz=236) TSi(sz=40) TSr(sz=40) N(sz=8) N(sz=8) N(sz=8)]
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)IKEv2 "IKE_AUTH request"'s decrypted message contains 9 payloads [ V(sz=20) IDi(sz=26) AUTH(sz=28) SA(sz=236) TSi(sz=40) TSr(sz=40) N(sz=8) N(sz=8) N(sz=8)]
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)dispatch the received IKE_AUTH request message - IkeSA(0x103afe58)'s state=SA_INIT_R
2020-09-21 12:58:48 iked (96.X.X.X<->216.Y.Y.Y)IKEv2 IKE_AUTH exchange from 216.Y.Y.Y:500 to 96.X.X.X:500 failed. Gateway-Endpoint='CFASA'. Reason=Received ID did not match the configured remote gateway endpoint ID.

---end of monitoring message

I have been trying to try all possible ways in Local Gateway ID and Remote Gateway ID without luck. This VPN used to work until the ASA side made small changes, we tried to restore ASA to old state but still no luck, please help. Any advices are greatly appreciated

Bruce_Briggs · September 2020

I would expect that the ID from the ASA would be the public IP addr of the ASA.

Perhaps something in here will help:
Cisco ASA and Firebox Branch Office VPN Integration Guide
https://www.watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/General/Cisco_ASA_BOVPN.html

Otherwise, consider opening a support incident on this

L2L VPN: Received ID did not match the configured remote gateway endpoint ID

Comments