IPSec+RSA fails at 1st phase with CheckPoint FW

Hello!

I configure IPSec+RSA connection to Checkpoint FW (Gaia R77.30) through RouterOS 6.43.2. Certificates on MT self-signed: CA + VPN(signed by CA). CA uploaded to Checkpoint FW, to MT CA from CP. Its important to authorize with certificates.
Checkpoint FW is in production and already linked with another Checkpoint FWs by IPSec+RSA in enterprise cluster.

In communication process is ongoing, and in state of interchanging certificates it stops with message: “ipsec Invalid CR type 7”
Please help to overcome this issue.

IPSec configuration:

/ip ipsec peer profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-128 name=peer_CheckPoint \
    nat-traversal=no

/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc name=\
    proposal_CheckPoint pfs-group=none

/ip ipsec peer
add address=W.X.Y.Z/32 auth-method=rsa-signature certificate=VPN \
    profile=peer_CheckPoint

/ip ipsec policy
add dst-address=10.0.0.0/16 proposal=proposal_CheckPoint sa-dst-address=\
    W.X.Y.Z sa-src-address=A.B.C.D src-address=192.168.33.0/24 \
    tunnel=yes

Full configuration:

/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp disable-running-check=no name=\
    DMZ
set [ find default-name=ether1 ] arp=proxy-arp disable-running-check=no name=\
    LAN
set [ find default-name=ether3 ] disable-running-check=no name=WAN
/interface list
add name=local

/interface list member
add interface=LAN list=local
add interface=DMZ list=local

/ip firewall filter
add chain=input port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
add action=log chain=forward out-interface=all-ppp
add action=accept chain=forward out-interface=WAN

/ip address
add address=192.168.4.100/25 interface=LAN network=192.168.4.0
add address=192.168.33.1/24 interface=DMZ network=192.168.33.0
add address=A.B.C.D/24 interface=WAN network=A.B.C.0

/ip route
add distance=1 gateway=A.B.C.1

/ip dns
set servers=8.8.8.8

/ip firewall nat
add action=accept chain=srcnat dst-address=10.0.0.0/16 src-address=\
    192.168.33.0/24
add action=masquerade chain=srcnat out-interface=WAN

/ip ipsec peer profile
add dh-group=modp1024 enc-algorithm=aes-256,aes-128 name=peer_CheckPoint \
    nat-traversal=no

/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc name=\
    proposal_CheckPoint pfs-group=none

/ip ipsec peer
add address=W.X.Y.Z/32 auth-method=rsa-signature certificate=VPN \
    profile=peer_CheckPoint

/ip ipsec policy
add dst-address=10.0.0.0/16 proposal=proposal_CheckPoint sa-dst-address=\
    W.X.Y.Z sa-src-address=A.B.C.D src-address=192.168.33.0/24 \
    tunnel=yes

Log:

Oct/10/2018 15:09:51 ipsec,info initiate new phase 1 (Identity Protection): A.B.C.D[500]<=>W.X.Y.Z[500]
Oct/10/2018 15:09:51 ipsec,debug new cookie:
Oct/10/2018 15:09:51 ipsec,debug b59b1db291961fcf
Oct/10/2018 15:09:51 ipsec,debug add payload of len 96, next type 13
Oct/10/2018 15:09:51 ipsec,debug add payload of len 16, next type 13
Oct/10/2018 15:09:51 ipsec,debug add payload of len 16, next type 0
Oct/10/2018 15:09:51 ipsec,debug 168 bytes from A.B.C.D[500] to W.X.Y.Z[500]
Oct/10/2018 15:09:51 ipsec,debug 1 times of 168 bytes message will be sent to W.X.Y.Z[500]
Oct/10/2018 15:09:51 ipsec sent phase1 packet A.B.C.D[500]<=>W.X.Y.Z[500] b59b1db291961fcf:0000000000000000
Oct/10/2018 15:09:51 ipsec,debug ===== received 108 bytes from W.X.Y.Z[500] to A.B.C.D[500]
Oct/10/2018 15:09:51 ipsec,debug begin.
Oct/10/2018 15:09:51 ipsec,debug seen nptype=1(sa) len=60
Oct/10/2018 15:09:51 ipsec,debug seen nptype=13(vid) len=20
Oct/10/2018 15:09:51 ipsec,debug succeed.
Oct/10/2018 15:09:51 ipsec received Vendor ID: FRAGMENTATION
Oct/10/2018 15:09:51 ipsec,debug total SA len=56
Oct/10/2018 15:09:51 ipsec,debug 00000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004
Oct/10/2018 15:09:51 ipsec,debug 00015180 80010007 800e0100 80030003 80020002 80040002
Oct/10/2018 15:09:51 ipsec,debug begin.
Oct/10/2018 15:09:51 ipsec,debug seen nptype=2(prop) len=48
Oct/10/2018 15:09:51 ipsec,debug succeed.
Oct/10/2018 15:09:51 ipsec,debug proposal #1 len=48
Oct/10/2018 15:09:51 ipsec,debug begin.
Oct/10/2018 15:09:51 ipsec,debug seen nptype=3(trns) len=40
Oct/10/2018 15:09:51 ipsec,debug succeed.
Oct/10/2018 15:09:51 ipsec,debug transform #1 len=40
Oct/10/2018 15:09:51 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
Oct/10/2018 15:09:51 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
Oct/10/2018 15:09:51 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
Oct/10/2018 15:09:51 ipsec,debug encryption(aes)
Oct/10/2018 15:09:51 ipsec,debug type=Key Length, flag=0x8000, lorv=256
Oct/10/2018 15:09:51 ipsec,debug type=Authentication Method, flag=0x8000, lorv=RSA signatures
Oct/10/2018 15:09:51 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
Oct/10/2018 15:09:51 ipsec,debug hash(sha1)
Oct/10/2018 15:09:51 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Oct/10/2018 15:09:51 ipsec,debug dh(modp1024)
Oct/10/2018 15:09:51 ipsec,debug pair 1:
Oct/10/2018 15:09:51 ipsec,debug  0x80b77d8: next=(nil) tnext=(nil)
Oct/10/2018 15:09:51 ipsec,debug proposal #1: 1 transform
Oct/10/2018 15:09:51 ipsec,debug prop#=1, prot-id=ISAKMP, spi-size=0, #trns=1
Oct/10/2018 15:09:51 ipsec,debug trns#=1, trns-id=IKE
Oct/10/2018 15:09:51 ipsec,debug type=Life Type, flag=0x8000, lorv=seconds
Oct/10/2018 15:09:51 ipsec,debug type=Life Duration, flag=0x0000, lorv=4
Oct/10/2018 15:09:51 ipsec,debug type=Encryption Algorithm, flag=0x8000, lorv=AES-CBC
Oct/10/2018 15:09:51 ipsec,debug type=Key Length, flag=0x8000, lorv=256
Oct/10/2018 15:09:51 ipsec,debug type=Authentication Method, flag=0x8000, lorv=RSA signatures
Oct/10/2018 15:09:51 ipsec,debug type=Hash Algorithm, flag=0x8000, lorv=SHA
Oct/10/2018 15:09:51 ipsec,debug type=Group Description, flag=0x8000, lorv=1024-bit MODP group
Oct/10/2018 15:09:51 ipsec,debug Compared: Local:Peer
Oct/10/2018 15:09:51 ipsec,debug (lifetime = 86400:86400)
Oct/10/2018 15:09:51 ipsec,debug (lifebyte = 0:0)
Oct/10/2018 15:09:51 ipsec,debug enctype = AES-CBC:AES-CBC
Oct/10/2018 15:09:51 ipsec,debug (encklen = 256:256)
Oct/10/2018 15:09:51 ipsec,debug hashtype = SHA:SHA
Oct/10/2018 15:09:51 ipsec,debug authmethod = RSA signatures:RSA signatures
Oct/10/2018 15:09:51 ipsec,debug dh_group = 1024-bit MODP group:1024-bit MODP group
Oct/10/2018 15:09:51 ipsec,debug an acceptable proposal found.
Oct/10/2018 15:09:51 ipsec,debug dh(modp1024)
Oct/10/2018 15:09:51 ipsec,debug agreed on RSA signatures auth.
Oct/10/2018 15:09:51 ipsec,debug ===
Oct/10/2018 15:09:51 ipsec,debug dh(modp1024)
Oct/10/2018 15:09:51 ipsec,debug compute DH's private.
Oct/10/2018 15:09:51 ipsec,debug 4b7ad2a8 38cd6790 92d3c589 c8b4957f 8be5dcf5 f44c209c 5e2d4f33 57aafdbf
Oct/10/2018 15:09:51 ipsec,debug 7fea7fef 8a287bec e3659384 60ecaeed ed1bb86b d218b915 19de2362 f7745ce1
Oct/10/2018 15:09:51 ipsec,debug 1b93d575 7df13e51 7802b03b a0973ef5 e3cb0d9b b8cd1fcb 48ed59aa 5652525a
Oct/10/2018 15:09:51 ipsec,debug 86654618 17dfa9b5 2b292185 f67d831d 320a6b0e 99393df6 b2e8f0a7 134796bb
Oct/10/2018 15:09:51 ipsec,debug compute DH's public.
Oct/10/2018 15:09:51 ipsec,debug 6632f81b 60eae36d 8afe35dc ba1a99dd 3ddea473 97ace97d 31d74585 a252f81e
Oct/10/2018 15:09:51 ipsec,debug 9d4762f0 da740ee7 6829573b 83b10084 515780b6 435f00ed 0331462b 0930faaa
Oct/10/2018 15:09:51 ipsec,debug 42c11574 566caab4 e3229415 1172263c 076eecb8 4434ebdf 4fd108e2 89ebdf08
Oct/10/2018 15:09:51 ipsec,debug 55ee3d9c 75cf383f a844bc9a a56c840f 90bdfe55 52f5ef28 de48e499 703fef2d
Oct/10/2018 15:09:51 ipsec,debug add payload of len 128, next type 10
Oct/10/2018 15:09:51 ipsec,debug add payload of len 24, next type 0
Oct/10/2018 15:09:51 ipsec,debug 188 bytes from A.B.C.D[500] to W.X.Y.Z[500]
Oct/10/2018 15:09:51 ipsec,debug 1 times of 188 bytes message will be sent to W.X.Y.Z[500]
Oct/10/2018 15:09:51 ipsec sent phase1 packet A.B.C.D[500]<=>W.X.Y.Z[500] b59b1db291961fcf:7b0dba670170175f
Oct/10/2018 15:09:51 ipsec,debug ===== received 514 bytes from W.X.Y.Z[500] to A.B.C.D[500]
Oct/10/2018 15:09:51 ipsec,debug begin.
Oct/10/2018 15:09:51 ipsec,debug seen nptype=4(ke) len=132
Oct/10/2018 15:09:51 ipsec,debug seen nptype=10(nonce) len=24
Oct/10/2018 15:09:51 ipsec,debug seen nptype=7(cr) len=37
Oct/10/2018 15:09:51 ipsec,debug seen nptype=7(cr) len=37
Oct/10/2018 15:09:51 ipsec,debug seen nptype=7(cr) len=37
Oct/10/2018 15:09:51 ipsec,debug seen nptype=7(cr) len=37
Oct/10/2018 15:09:51 ipsec,debug seen nptype=7(cr) len=43
Oct/10/2018 15:09:51 ipsec,debug seen nptype=7(cr) len=43
Oct/10/2018 15:09:51 ipsec,debug seen nptype=7(cr) len=33
Oct/10/2018 15:09:51 ipsec,debug seen nptype=7(cr) len=29
Oct/10/2018 15:09:51 ipsec,debug seen nptype=7(cr) len=29
Oct/10/2018 15:09:51 ipsec,debug seen nptype=7(cr) len=5
Oct/10/2018 15:09:51 ipsec,debug succeed.
Oct/10/2018 15:09:51 ipsec,debug CR saved:
Oct/10/2018 15:09:51 ipsec,debug 301e311c 301a0603 55040a13 1343502e 63702e70 76782e72 752e6a69 75756872
Oct/10/2018 15:09:51 ipsec Invalid CR type 7

It seems that CheckPoint’s formatting of at least one of the Certificate Request (CR) payloads in the message is different from what Mikrotik expects/supports.

To have at least a chance to have that analysed and eventually fixed, you have to remove the !packet from the topics list in /system logging so that the binary data of the packet would be logged as well, try to establish the connection once again and send the log to support@mikrotik.com for analysis (along with the configuration and other information as a supout.rif file). Sniffing the exchange into a file may be a good add-on to the above.

You may also post the log here, but be aware that the real IP addresses and other identifiers may be present in the raw packet data.

Solution found myself. Save for future generations
CA Certificate on checkpoint should be stored as “OPSEC PKI”. Moreover for self-signed certificates CRL retrieving may be turned off.