IPSec phase 2 setup problem Check Point R55 and 1841 router

Unanswered Question
Aug 24th, 2007

I'm struggling to get the phase 2 working and the error message seems clear enough

no IPSEC cryptomap exists for local address 217.204.143.226

The only discrepancy that I can fine is that the inbound phase 2 proposal has lifedur= 0s and 0kb which I cannot set on the Cisco as the IOS won't take zero values. To muddy the waters further I've found debug outputs on other websites which also have lifedur= 0s and 0kb early in the phase 2 that complete OK!

Also what does type=1 mean below? The web outputs seem to be mostly type=4

Can anyone shed some light on this ro see anything I can't?

For info the IOS will be upgraded to the (16) version this weekend...

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(1a),

Aug 22 11:45:11: ISAKMP:(0:2:SW:1):Checking IPSec proposal 1

Aug 22 11:45:11: ISAKMP: transform 1, ESP_3DES

Aug 22 11:45:11: ISAKMP: attributes in transform:

Aug 22 11:45:11: ISAKMP: encaps is 1 (Tunnel)

Aug 22 11:45:11: ISAKMP: SA life type in seconds

Aug 22 11:45:11: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80

Aug 22 11:45:11: ISAKMP: SA life type in kilobytes

Aug 22 11:45:11: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

Aug 22 11:45:11: ISAKMP: authenticator is HMAC-MD5

Aug 22 11:45:11: ISAKMP:(0:2:SW:1):atts are acceptable.

Aug 22 11:45:11: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 217.204.143.226, remote= 194.63.35.25,

local_proxy= 217.204.143.226/255.255.255.255/0/0 (type=1),

remote_proxy= 194.63.35.25/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

Aug 22 11:45:11: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 217.204.143.226

Aug 22 11:45:11: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal

Aug 22 11:45:11: ISAKMP:(0:2:SW:1): phase 2 SA policy not acceptable! (local 217.204.143.226 remote 194.63.35.25)

Crypto Map "VPN" 500 ipsec-isakmp

Description: Tunnel VPN to BAA Heathrow

Peer = 194.63.35.25

Extended IP access list TO-HEATHROW1_acl

access-list TO-HEATHROW1_acl permit ip host 217.204.143.226 host 194.63.35.25

access-list TO-HEATHROW1_acl permit ip 10.208.254.0 0.0.0.127 10.8.25.0 0.0.0.31

Current peer: 194.63.35.25

Security association lifetime: 4608000 kilobytes/86400 seconds

PFS (Y/N): N

Transform sets={

trans-2,

}

Transform set trans-2: { esp-3des esp-md5-hmac }

will negotiate = { Tunnel, },

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
froggy3132000 Fri, 08/24/2007 - 09:19

You have both peers in the encryption domain, is there a reason for that?

ARe you able to verify the paramaters on the CKP side?

mshickell Fri, 08/24/2007 - 22:18

Testing purposes only. The checkpoint parameters seem fine. even though the phase 2 lifetime is set to 3600 secs (no bytes parameter to be found) the trace on the Cisco still shows lifetime as 0 sec/bytes. Not sure if this is a red herring but the router is requesting the right parameters according to the debugs.

mark_shickell Wed, 09/05/2007 - 23:04

Problem turned out to be some old config within a tunnel interface. This was one tack which was tried before but not properly deleted.

Deleted the tunnel interface and the SA came up straight away!

Actions

This Discussion