jbayuka Mon, 02/04/2008 - 11:17
User Badges:
  • Bronze, 100 points or more

If the IPsec tunnel is not UP, check that the ISAKMP policies match with the remote peers. This ISAKMP policy is applicable to both the Site-to-Site (L2L) and Remote Access IPsec VPN.


If the Cisco VPN Clients or the Site-to-Site VPN are not able establish the tunnel with the remote-end device, check that the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values and when the remote peer policy specifies a lifetime less than or equal to the lifetime in the policy that the initiator sent. If the lifetimes are not identical, the security appliance uses the shorter lifetime. If no acceptable match exists, ISAKMP refuses negotiation, and the SA is not established.


If the Cisco VPN Client is unable to connect the head-end device, the problem can be the mismatch of ISAKMP Policy. The head-end device must match with one of the IKE Proposals of the Cisco VPN Client.



ajagadee Mon, 02/04/2008 - 12:53
User Badges:
  • Cisco Employee,

Based upon on the debug, it looks like the UDP Port 500 is being blocked in the path between the Pix and Checkpoint.


crypto_isakmp_process_block:src:69.25.174.245, dest:172.16.200.1 spt:500 dpt:500

ISAKMP: phase 1 packet is a duplicate of a previous packet


Also, I notice that you have 172.16.200.1, which is a private IP on the public interface and I am sure that its getting NATTed somewhere. So, you may want to check the NATTing device to make sure that its not blocking any traffic.


Regards,

Arul


** Please rate all helpful posts **


Actions

This Discussion