VPN Tunnel from Cisco ASA to Checkpoint UTM-1 Edge

norwichr · ‎05-06-2008

Hi All,

I am currently trying to setup an IPSec Site to Site VPN tunnel from a Cisco 5520 to a Checkpoint UTM-1 Edge firewall. Phase 1 completes, but i get a mismatch cryptomap error on phase 2. This is syslog message 713061, i unfortunately don't control the Checkpoint Firewall but i am assured their crypto map is correct, and i know my cryptomap is correct. Has anyone had any experiences connecting to a checkpoint utm-1 edge firewall?

Thanks for any help

Ali

cisco24x7 · ‎05-06-2008

There are several issues that I can think of:

1- Phase 1 is complete means that your phase 1

is OK on both sides,

2- phase 2 fails because either crypto map on

your end is not correct or the encryption domain

on the checkpoint side is supernetting its

network and that your side does not like it.

What is the interesting traffics on your side

and what is the local encryption domain on

the checkpoint side? For example:

access-list 101 permit ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 101 permit ip 192.168.100.0 0.0.0.255 10.0.1.0 0.0.0.255

as you can see on the checkpoint side, there

are two networks, 10.0.0.0/24 and 10.0.1.0/24.

Checkpoint, by default, will supernet these

two networks into 10.0.0.0/23 and send it to

to you during phase 2 negotiation thus failing

the VPN. There are workaround for this,

especially in NGx. This issue is well known

between Checkpoint and Cisco VPN.

The best way to confirm is to run "vpn debug

ikeon" on the checkpoint box and look at the

$FWDIR/log/ike.elg file with IKEView.exe

utility. It will tell you exactly where your

VPN fails. Checkpoint VPN debug utility

is about 100 times better than Cisco.

CCIE Security

norwichr · ‎05-06-2008

Hi thanks for the response

i have one line crypto map which is:

access-list cryptomap extended permit ip host 10.0.0.87 10.0.10.0 255.255.255.0

so i'm allowing traffic from our server here 10.0.0.87 to their network 10.0.10.0/24

i did a 'dbug crypto isakmp 127' and eventually get the below:

May 06 14:23:01 [IKEv1]: Group = [Their Peer IP Address], IP = [Their Peer IP Address], Rejecting IPSec tunnel: no matching crypto map entry for remote proxy [Their Peer IP]/255.255.255.255/0/0 local proxy [My Peer Address]/255.255.255.255/0/0 on interface Outside

It confuses me why their peer IP is coming through and mine for the crypto map entry, shouldn't this be the internal IP's or am i reading this wrong? could this go back to the checkpoing issue you explained?

in the meantime i will have my contact perform the checkpoing debugs you've explained

Thankyou

Ali

cisco24x7 · ‎05-07-2008

On the UTM-Edge, in the VPN community

configuration setting, select vpn to exchange

key "per host" from the default of "per

subnet pair".

VPN will work after that.

CCIE Security

udi4cisco · ‎06-01-2015

Many thanks cisco24x7, your answer solved the problem.

regards

Moez

Daniela Herrera · ‎03-29-2010

Hello,

I am having a similar problem with a Checkpoint: UTM-1 Edge X (8.0.36x) and an ASA5510 (8.0.4)...

Tunnel starts ok from the ASA but if the Checkpoint tries to start the tunnel, the ASA denies the connection since the encryption domain it is receiving includes the outside addresses of both firewalls instead of the internal hosts (debug crypto ipsec 250).

I've asked to test bringin up the tunnel from the host itself and not from the firewall and I still see the same behaviour.

I found this thread and suggested the changes to them, but they tell me that the Firewall version they have is very limited and those options are not available,.

Is there anything else you may suggest to try ??

Thanks and regards,