cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2022
Views
0
Helpful
3
Replies

IPSec phase 2 setup problem Check Point R55 and 1841 router

mshickell
Level 1
Level 1

I'm struggling to get the phase 2 working and the error message seems clear enough

no IPSEC cryptomap exists for local address 217.204.143.226

The only discrepancy that I can fine is that the inbound phase 2 proposal has lifedur= 0s and 0kb which I cannot set on the Cisco as the IOS won't take zero values. To muddy the waters further I've found debug outputs on other websites which also have lifedur= 0s and 0kb early in the phase 2 that complete OK!

Also what does type=1 mean below? The web outputs seem to be mostly type=4

Can anyone shed some light on this ro see anything I can't?

For info the IOS will be upgraded to the (16) version this weekend...

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(1a),

Aug 22 11:45:11: ISAKMP:(0:2:SW:1):Checking IPSec proposal 1

Aug 22 11:45:11: ISAKMP: transform 1, ESP_3DES

Aug 22 11:45:11: ISAKMP: attributes in transform:

Aug 22 11:45:11: ISAKMP: encaps is 1 (Tunnel)

Aug 22 11:45:11: ISAKMP: SA life type in seconds

Aug 22 11:45:11: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80

Aug 22 11:45:11: ISAKMP: SA life type in kilobytes

Aug 22 11:45:11: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0

Aug 22 11:45:11: ISAKMP: authenticator is HMAC-MD5

Aug 22 11:45:11: ISAKMP:(0:2:SW:1):atts are acceptable.

Aug 22 11:45:11: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 217.204.143.226, remote= 194.63.35.25,

local_proxy= 217.204.143.226/255.255.255.255/0/0 (type=1),

remote_proxy= 194.63.35.25/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

Aug 22 11:45:11: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 217.204.143.226

Aug 22 11:45:11: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal

Aug 22 11:45:11: ISAKMP:(0:2:SW:1): phase 2 SA policy not acceptable! (local 217.204.143.226 remote 194.63.35.25)

Crypto Map "VPN" 500 ipsec-isakmp

Description: Tunnel VPN to BAA Heathrow

Peer = 194.63.35.25

Extended IP access list TO-HEATHROW1_acl

access-list TO-HEATHROW1_acl permit ip host 217.204.143.226 host 194.63.35.25

access-list TO-HEATHROW1_acl permit ip 10.208.254.0 0.0.0.127 10.8.25.0 0.0.0.31

Current peer: 194.63.35.25

Security association lifetime: 4608000 kilobytes/86400 seconds

PFS (Y/N): N

Transform sets={

trans-2,

}

Transform set trans-2: { esp-3des esp-md5-hmac }

will negotiate = { Tunnel, },

3 Replies 3

froggy3132000
Level 3
Level 3

You have both peers in the encryption domain, is there a reason for that?

ARe you able to verify the paramaters on the CKP side?

Testing purposes only. The checkpoint parameters seem fine. even though the phase 2 lifetime is set to 3600 secs (no bytes parameter to be found) the trace on the Cisco still shows lifetime as 0 sec/bytes. Not sure if this is a red herring but the router is requesting the right parameters according to the debugs.

Problem turned out to be some old config within a tunnel interface. This was one tack which was tried before but not properly deleted.

Deleted the tunnel interface and the SA came up straight away!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: