need help with vpn issue

Unanswered Question
Apr 11th, 2007

I am not real familiar with networking so I may not have the correct terms here. I am trying to set up a vpn between 2 checkpoint routers but cant make it work thru a cisco 2620. Location one has just a checkpoint connected to the internet. Location 2 has a checkpoint behind a cisco 2620 connected to the internet. We opened all ports we thought we needed on the cisco but cant make it work. Something keeps getting blocked and the VPN never connects. Can I make this work with the cisco or am I out of luck?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
owaisberg Wed, 04/11/2007 - 10:16

My understanding your setup is:

---(Internet)---

If yes, first make sure you have reachability

from FW1 to FW2. If there is one create VPN

site-to-site connection on both Firewalls

and watch SmartView Tracker on why tunnel is

failing to establish.

HTH,

OW

billfaith Wed, 04/11/2007 - 11:49

Close, its like this with only one cisco.

---(Internet)--

These are checkpoint [email protected] appliances so they dont have advanced logging capabilities. The checkpoint behind the cisco can get out to the internet. When trying to establish a vpn from [email protected] to [email protected] it fails. We took the [email protected] thats behind the cisco and hooked it up direct to another internet connection and the vpn works. But when hooked up behind the cisco, it fails.

billfaith Fri, 04/13/2007 - 11:40

Hello

I have not gotten the config file yet but am told the OS version is 12.2(7b). Is there any limitation on this version for accomplising what I need? The router is a little older.

billfaith Mon, 04/16/2007 - 11:24

I got my config file. Am I safe putting my config file on here will my IP addresses or should I change the public ones?

billfaith Mon, 04/16/2007 - 12:37

Ok here it is.

clcinternet1#sho run

Building configuration...

Current configuration : 3213 bytes

!

! Last configuration change at 14:07:43 edt Fri Apr 6 2007 by NAVY

!

version 12.2

service nagle

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname clcinternet1

!

logging buffered 4096 debugging

aaa new-model

aaa authentication login default local-case

aaa authentication enable default enable

aaa authentication ppp default local-case

aaa authorization exec default local

aaa authorization network default local

!

clock timezone est -5

clock summer-time edt recurring

ip subnet-zero

!

!

ip name-server 207.54.159.4

ip name-server 207.54.159.2

!

call rsvp-sync

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 172.16.0.1 255.255.0.0

ip nat inside

duplex auto

speed auto

no cdp enable

!

interface Serial0/0

description APK T1

ip address 207.54.1.1 255.255.255.252

ip nat outside

no ip mroute-cache

no fair-queue

service-module t1 timeslots 1-24

no cdp enable

!

ip local pool default 172.16.0.240 172.16.0.249

ip nat inside source list 1 interface Serial0/0 overload

ip nat inside source static 172.16.0.3 207.54.1.3

ip nat inside source static 172.16.0.4 207.54.1.41

ip classless

ip route 0.0.0.0 0.0.0.0 207.54.170.22

ip route 192.168.1.0 255.255.255.0 172.16.0.3

no ip http server

ip pim bidir-enable

!

!

ip access-list extended WAN_IN

permit tcp any host 207.54.1.1 eq telnet

permit tcp any host 207.54.1.3 eq smtp

permit tcp any host 207.54.1.3 eq pop3

permit tcp any host 207.54.1.3 eq ftp

permit tcp any host 207.54.1.3 eq ftp-data

permit tcp any host 207.54.1.3 eq www

permit tcp any host 207.54.1.3 eq 8080

permit esp any host 207.54.1.4

permit udp any host 207.54.1.4 eq 4500

permit udp any host 207.54.1.4 eq isakmp

permit tcp any host 207.54.1.4 eq www

permit tcp any host 207.54.1.4 eq 50

permit tcp any host 207.54.1.4 eq 51

permit gre any host 207.54.1.4

permit udp any host 207.54.1.4 eq 2746

permit tcp any host 207.54.1.4 eq 264

permit udp any host 207.54.1.4 eq 259

permit udp host 18.26.1.1 eq ntp any

permit tcp any host 207.54.1.3 gt 1024

permit udp any host 207.54.1.3 gt 1024

permit tcp any host 207.54.1.1 gt 1024 established

permit udp any host 207.54.1.1 gt 1024

permit tcp any 207.54.1.2 0.0.0.3 eq 1723

permit tcp any 207.54.1.2 0.0.0.7 eq 1701

permit tcp any 207.54.1.2 0.0.0.7 eq 1723

permit tcp any 207.54.1.2 0.0.0.7 eq 5631

permit tcp any 207.54.1.2 0.0.0.7 eq 5632

permit gre any 207.54.1.3 0.0.0.3

permit gre any 207.54.1.2 0.0.0.7

permit icmp any any

access-list 1 deny 172.16.0.4

access-list 1 deny 172.16.0.3

access-list 1 permit 172.16.0.0 0.0.255.255

access-list 1 permit 192.168.1.0 0.0.0.255

no cdp run

snmp-server engineID local xxx

snmp-server community xxx

snmp-server community xxx

!

dial-peer cor custom

!

!

!

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

!

ntp clock-period 17180607

ntp server 18.26.4.105

end

vlichina0605 Tue, 04/17/2007 - 02:31

HI, Maybe the check-point VPN can not support NAT traverse. So just remove NAT and test it.

billfaith Tue, 04/17/2007 - 05:19

Hi Thanks. The only thing I see in my checkpoint vpn setup about NAT is a checkbox to "Bypass NAT". I have turned that option and off with no success. I was reading about NAT transparency on cisco's site and saw that it said passing IPSEC vpn info isnt supported until version 12.2(13T) and I have 12.2(7B). I have no idea if this is my issue but maybe?

vlichina0605 Wed, 04/18/2007 - 22:30

Hi Billfaith, you should make sure that Checkponit VPN is your VPN device, not Cisco. Your cisco 2610 router just a connecting router with NAT before your VPN device. So if your VPN device supports NAT traversal, it can traverse your cisco router(NAT device) and establishs IPSec session successfully. If it can not support that, your network configuration will not work unless there is no any NAT device between two VPN devices.

owaisberg Thu, 04/19/2007 - 12:18

Can you post output from "show version"

command from your cisco router ?

Thanks,

OW

billfaith Tue, 04/24/2007 - 05:55

They tell me the checkpoint will do NAT traversal automatically if it needs to.

glenthms Thu, 04/19/2007 - 15:31

Bill had you tried to just allow all traffic in to the NAT ip of your internal FW? Does Protocol ESP need to be there?

billfaith Tue, 04/24/2007 - 05:54

Here is the show version output. I believe we had an allow all statement pointing to our checkpoint fw. I will need to check. My helper disconnected the checkpoint and is gone today so I cant try the vpn connection.

Cisco Internetwork Operating System Software

IOS (tm) C2600 Software (C2600-IS-M), Version 12.2(7b), RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2002 by cisco Systems, Inc.

Compiled Tue 05-Mar-02 07:30 by pwade

Image text-base: 0x80008088, data-base: 0x81071B70

ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)

clc uptime is 3 weeks, 5 days, 16 hours, 47 minutes

System returned to ROM by power-on

System restarted at 16:00:38 est Wed Mar 28 2007

System image file is "flash:c2600-is-mz.122-7b.bin"

cisco 2620 (MPC860) processor (revision 0x102) with 45056K/4096K bytes of memory

.

Processor board ID JAD042107TW (506410786)

M860 processor: part number 0, mask 49

Bridging software.

X.25 software, Version 3.0.0.

1 FastEthernet/IEEE 802.3 interface(s)

1 Serial network interface(s)

32K bytes of non-volatile configuration memory.

16384K bytes of processor board System flash (Read/Write)

palukuri77 Tue, 04/24/2007 - 08:48

Hi Bill,

Please try to repeat the process by removing the ACL on the router. It should be like the router is used as a device for internet access thats it, no control on it.

With this you can isolate the problem either its from the router or not.

mohmmad.imran Tue, 04/24/2007 - 14:28

Hi All,

Plz correct me if I mentioned something wrong considering the Checkpoint as VPN end points.

In your router configuartion pasted above, It shows that you only defined the access-list but you are not applying it to any interface.

What I would suggest is to troubleshoot the issue in two stpes:-

1) Confirm your router is performing that NAT:-

a) Remove the access-list

b) Ping the source and destination of the Ipsec peer from the both end, if you are able to ping that means the router performing NAT without any problem.

c)If you are not able to ping source and destination of IPSEC peer Then we need to check what exactly the router is doing when he gets the packet

# debug ip nat

#perform ping between the end points and Paste the output to so that everyone can have a look on that and Suggest what would be the next step

2) Assuming the Router performs NAT, then you should concentarte on your Firewall

I am not familiar with checkpoint but the IPSEC terminology will be the same for all the vendors

a) first make sure you have the same ISAKMP Policy for phase-I negotiation on both the end

b) make sure you have same transform-set on both the end

c) Most Important:- check crypto-protected address spaces between both the end point are same,

The protected address sapce must match on both the VPN endpointsto established the ipsec SA.

Imran

Actions

This Discussion