0

This is the error I'm getting on the traffic monitor on my firewall. I have Watchguard X510 and I can't seem to get ipsec to work at all.

2018-07-12 10:46:19 iked (12.*.*.*<->10.30.30.146)drop the received IKEv2 message from 10.30.30.146:55402 - reason="ike2_CheckParsePayload_KE: received the unsupported KE group (24) or wrong KE data size (recved=256, expected=0)"

alexander.polomodov
  • 1,068
  • 3
  • 10
  • 14
scott
  • 1
  • 1
  • 1
  • I wonder if that "KE group" is the same as Diffie-Hellman group? If you like to get some help you better provide some more information. Do you want to connect to that Watchguard appliance from Windows or Linux or Mac or what? Or the other way around? What settings do you use on each end? – bcs78 Jul 12 '18 at 18:31

1 Answers1

1

The KE (Key Exchange) payload contains the peer's public DH (Diffie-Hellman) factor and the DH group. Group 24 (2048-bit MODP Group with 256-bit Prime Order Subgroup) is defined in RFC 5114 and might not be that commonly implemented. The group together with others defined in that RFC are also not recommended anymore for use with IKEv2, according to RFC 8247.

The correct behavior for an implementation when receiving a KE payload with an unsupported DH group is to respond with an INVALID_KE_PAYLOAD notify that contains an alternative and preferred group, with which the initiator should then try to connect again. If that's not the case the implementation is flawed.

Anyway, to fix the issue you have to configure a commonly supported DH group on each end.

Community
  • 1
ecdsa
  • 3,973
  • 15
  • 29
  • Its an old Watchguard XTM 510 and i have followed Watchguard spec sheets and seems no matter what. At the end i get unsupported on any combinations. Seems like its time to invest in new firewall. – scott Jul 13 '18 at 16:31
  • Always the same message? What clients do you use? How are they configured? – ecdsa Jul 13 '18 at 16:53
  • PPTP works fine but anything Mac or using IPSEC connection it doesn't like at all. – scott Jul 13 '18 at 17:00
  • You can't compare these protocols, they work completely differently. So that PPTP works is in no way an indication that IKE/IPsec should work too. Could you provide some information on how you configured the Watchguard box or on the spec sheets you refer to? – ecdsa Jul 17 '18 at 13:41
  • This is the link i'm referring to.https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/mvpn/ipsec/mvpn_ipsec_ios_vpn_c.html – scott Jul 19 '18 at 19:36
  • However, that covers IKEv1 (called "Cisco IPsec" on Apple devices) and not IKEv2. For IKEv2 you should probably start [here](https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/mvpn/ikev2/mvpn_ikev2_about_c.html). According to these docs they even provide client profiles (.mobileconfig for macOS/iOS) that include certificates and config. But since it's also possible to configure it manually (without special mention of algorithms etc.) it seems strange that you should run into this issue. Does your WatchGuard box actually run Fireware v12.1 or higher? – ecdsa Jul 20 '18 at 06:57
  • I'm on 11.11.4 firmware but i can upgrade to 11.12.4 says. – scott Jul 23 '18 at 14:13