problems with site to site VPN

Unanswered Question
Nov 27th, 2007

Hi there i have a problem with a site to site connection with a company we work with. The company works with a checkpoint ngx-1 R65 en we work with Pix. The thing is that we VPN comes up. I can ping host at the company side and traffic is flowing. The company cannot access us only when we start a ping from our side only after that they can access us. We also got some socket errors on one of our apps when connecting to them.

i have debug logs attached. One is when we are sending pings to them (debug ourside.txt). and on were they are sending pings to us (debug company ping.txt .

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kevin.jones1 Tue, 11/27/2007 - 13:46


the solution is a very simple one.

1) make sure that you do not NAT inside

the vpn tunnel on the checkpoint side.

In checkpoint VPN community, I am assuming

that you're using simplified mode, there

is a check box that tell you to disabble NAT

inside VPN tunnel.

2) checkpoint will tend to supper net the

interesting traffic whenever possible. I am

suspecting that is the case because it only

works once you start pinging the other side.

When the tunnel timeout, it will not work

if traffics is initiated from the other side.

To fix this, please advise the other company

to do the following:

in the VPN community properties, go to

tunnel Management, look into the "VPN

Tunnel Sharing", select "one vpn tunnel

per each pair of hosts". The default is

"one vpn tunnel per subnet pair". After that

push the policy and likely it will work after


this method is not efficient but this method

is widely used when setting VPN between Checkpoint and Cisco/Juniper.

Finally, if all else fails, you may

have to go into the $FWDIR/lib of the CMA

or management and modify the user.def file.

Let me know if it works for you.

greg-bnets Wed, 11/28/2007 - 06:40


Thanks for your reply. I contacted the company but still the same reult. Only after i started pinging they could ping us. Before that they would get "no valid SA"in their log but nothing showing up in de debug on my side. attached is the complete debug when we tested just now.

kevin.jones1 Wed, 11/28/2007 - 08:02

The problem is that you have phase II

mis-matched when checkpoint initiates

traffics first:

(key eng. msg.) dest=, src= 200.x.x.138,

dest_proxy= MNS/ (type=1),

src_proxy= DIGICELNW1/ (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

I've been working with both Checkpoint firewalls and Cisco Pix/IOS for about 7

years now and checkpoint is doing

suppernet on its side. That's why it fails.

Tell the folks on the Checkpoint side to run

"vpn debug ikeon" and you the utility IKEView.exe to view the debug and it will tell

you why it fails.

I've been working with both Checkpoint firewalls and Pix/IOS for about seven years now and what you see is quite typical for VPN

between checkpoint and Cisco. Use my method in previous post and it will work.

If you want to chat, put your phone here and

I will call you.

greg-bnets Wed, 11/28/2007 - 13:00


Checkpoint support stated that everything is good on their side. What i forgot to mention is that my pix is behind a router. i use a private address which i nat to the public address of the outside interface out the router. They tell me that i have no static nat for inbound traffic sending IPsec traffic to the pix. Attached is the router config. Can you check it for me. The thing is when they are trying to ping first i don't see anything in de debug. also the hosts behind the firewall are nat to 10.10.40.X on the router is nat to the public address on the outside interface. so the topology is

DMZ--> PIX----> router (3725) --->Internet--> FW checkpoint.

Thanks for helping me out. my phone number is +597-8595355

kevin.jones1 Wed, 11/28/2007 - 13:44

Ok now I have a better picture of what you

want to do.

Checkpoint TAC supports is correct. In order

for this to work, you need to have static

NAT for inbound traffic to send traffic to the

Pix. In your case, since you have nat everything to the public address of the outside interface so you may not have anymore

public ip addresses available. In that case,

I would do the following on the router:

ip nat inside source static udp interface FastEthernet0/1 500

ip nat inside source static esp interface FastEthernet0/1

In other words, you are telling the router to

forward isakmp/500 and esp traffics from

interface F0/1 on the router to the Pix.

This will allow the checkpoint to communicate

with your Pix firewall and it will work like

a charm. Make sure on the Checkpoint side,

the InterOperable Device is setup with an

ip address of 200.X.X.19. Don't forget to

tell them to re-push the policy after they

are done.

I learned about this method while preparing

for the CCIE security lab two years ago. Funny thing is that I am CCIE security certified but I know more about Checkpoint

technologies and I do with Cisco.

Let me know if this works for you.

greg-bnets Wed, 11/28/2007 - 15:44


Your a big help so far

There was a typo in the command.

but i changed it.

ip nat inside source static udp 500 interface FastEthernet0/1 500

instead of

ip nat inside source static udp interface FastEthernet0/1 500

It worked. Now the company can start aping on its own. But the thing is only one host on his side can ping to my. We can't ping each other simultaneously. I also see a malformed payload in de debug. Attached the debug file. Can you help out on this.

kevin.jones1 Wed, 11/28/2007 - 18:03

My consulting rate is $250/hour and I think

the fee is quite reasonable since you're

getting someone who is knowledgeable with

both Cisco and Checkpoint technologies. J/K.

I am going to assume that the Checkpoint

External IP address is Your

Pix external ip address is

what is your interesting traffics? Show me

your ACL address outside1_cryptomap_20.

What is the checkpoint defined in its Local

Encryption Domain? What is the remote encryption

domain defined in the InterOperable Device for

the Pix device in Checkpoint?

It looks to me like you do not have the encryption

match between checkpoint and Cisco. That's why

it is not working as it should.

One other thing I notice is that you should change

isakmp policy 20 lifetime 28800 to "isakmp policy 20

lifetime 86400" and "crypto map outside1_map 20 set

security-association lifetime seconds 7200" to

"crypto map outside1_map 20 set security-association

lifetime seconds 3600" so that it will match with the

default setting on the Checkpoint side.

In order for me to help you, I need to see your pix

configuration ACL and the entire configuration, not

piecemeal. It looks to me like you've misconfiguration

on your Pix side. Until I can see your pix configuration,

very hard to go on from there

greg-bnets Thu, 11/29/2007 - 05:21


I will change the isakmp policy 20 lifetime to 86400 and the security-association lifetime seconds to 3600. attached is my config of the pix. The outside of the pix is nat to 200.X.X.19 on the router side

I appreciate your help and i certainly know what you are worth.

kevin.jones1 Thu, 11/29/2007 - 06:47

Here is what I recommend:

1) On the Checkpoint side, tell the checkpoint TAC person to include only host and for the encryption domain

of the Pix Inter-Operable Device

2) On the checkpoint side, tell the checkpoint TAC person to include digicel0, digicel3, digicel4, digicel5, digicelnw1 in his

checkpoint local encryption domain,

3) make sure everything in the VPN setting maches on both sides, INCLUDING Perfect

Forward Secrecy (PFS). There is a checkpoint

in the checkpoint vpn community for that,

Looking at your configuration more carefully,

what you're trying to do will not work

because you're terminating VPN on the outside1

interface ( and your interesting

traffics is on and

Remember this is a Pix firewall NOT cisco IOS

so what you're trying to do, I do not think will work. The interesting traffics should

be network not on the same interface as outside1.

greg-bnets Thu, 11/29/2007 - 07:16


The Checkpoint is configured with VPN connections to other parties as well so the encryption domain could not only consists with my hosts in it.There other settings you suggested are also in place. Host and are actually on the inside of the pix. (having Nat to and nat to on the outside1 interface. The thing is before we implemented the inbound nat rule on the router we could ping each other simultaneously. Only i had to start pinging first. Now only one host can ping. So this is strange.

Is there a possible work around for this?

Thanks again

kevin.jones1 Thu, 11/29/2007 - 07:26

Checkpoint local encryption domain can contain

other network besides and

What I am referring is the Pix Interoperable

device encryption domain. It can contains only

host and

You said:

"Host and are actually on the inside of the pix. (having Nat to and nat to"

if that is the case then you need to REMOVE this line:

no nat (inside) 0 access-list inside_outbound_nat0_acl

because this line says NOT TO NAT and when going to the checkpoint side. Therefore you are telling the checkpoint side that your interesting is

actually and and NOT and

remove this line and it will work.

greg-bnets Thu, 11/29/2007 - 08:23


Here is the thing I entered the following command on the PIX

no nat (inside) 0 access-list inside_outbound_nat0_acl

What happens now it that i can ping for instance 172 .24.197.10 (company)from and the company can ping just fine. I did this test continuously pinging to each other. Now i started to ping also. I got timeouts. Only when i closed the ping to 172 .24.197.10 i could ping x.xx.199 from the company side the same. I looks like we could only ping one host at a time. Strange thing. Any thoughts on that?

kevin.jones1 Thu, 11/29/2007 - 08:42


Here is what I would do:

1) tell the checkpoint guy to perform "vpn tu"

and clear tunnel between the checkpoint and

the pix,

2) what hfa is running on the checkpoint side?

Ask the TAC to run "fw ver" on the firewall

modules and paste in the output.

3) is it possible for you to ask the checkpoint TAC person to give you the file

ike.elg file while this error occurs? I can

debug that file and tell exactly what went


greg-bnets Thu, 11/29/2007 - 09:20


This is what i got from them.

Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) - Build 430

see the attachment also.

thanks a million

kevin.jones1 Thu, 11/29/2007 - 11:12

Tell the checkpoint TAC that they should be

running the latest HFA, like what I have below:

[[email protected]_R65-1-P]# fw ver

This is Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) HFA_02, Hotfix 602 - Build 006

[[email protected]_R65-1-P]#

Furthermore, when I look at the ike.elg file, everything looks clean.

There is an issue with the tunnel but for the tunnel

200.x.x.19, it looks really clean. Both phase I and phase II looks

really clean so the configuration on both the checkpoint side

and your side is correct. There is one thing I am not seeing in

the checkpoint debug file is the Perfect Forward Secrecy part. Can

you check with checkpoint tac if that is in place?

Last resort will be:

1) upgrade checkpoint to HFA_02. They are on HFA_0 now,

2) upgrade your pix 6.3(4) to 6.3(5),

Or if you like you can setup a VPN tunnel with me. I have

a checkpoint NGx R65 firewall but I am running HFA_02 instead

of HFA_00

kevin.jones1 Thu, 11/29/2007 - 12:50

Your Pix configuration looks correct.

Are they running Checkpoint on SecurePlatform

or Nokia IP appliance? I remember running

into this issue about two years ago but that

was between my checkpoint NG AI firewall running

on Secureplatform and the other side is a

Cisco IOS router.

I look at the ike10.elg file and everything

looks good on the checkpoint side. Both

phase I and Phase II are properly exchanged.

greg-bnets Thu, 11/29/2007 - 12:54


I don't know yet which platform. i will ask them. But have you seen things in de debug 3.txt file? What can you make of it. I will upgrade to 6.3(5) look for the upgrade document online now. As soon as i find it i will upgrade.

kevin.jones1 Thu, 11/29/2007 - 13:06

do you have remote access VPN terminate on this

Pix firewall? your IPSec phase II looks

strange with

greg-bnets Thu, 11/29/2007 - 13:27

yes i have. But i deleted it now. Still i can't ping only one host at a time.

greg-bnets Thu, 11/29/2007 - 15:07


I have upgraded to 6.3(5) still no progress. Thanks for all your efforts i'm in the dark here.

greg-bnets Fri, 11/30/2007 - 07:36


When i remove the static inbound rule on the router i am able to ping all hosts simultaneously. But then again the company can only reach me when i start a ping first. I will still have problems with the renegotiation.

Any thoughts on this?


This Discussion