05-06-2008 06:23 AM - edited 02-21-2020 03:42 PM
Hi All,
I am currently trying to setup an IPSec Site to Site VPN tunnel from a Cisco 5520 to a Checkpoint UTM-1 Edge firewall. Phase 1 completes, but i get a mismatch cryptomap error on phase 2. This is syslog message 713061, i unfortunately don't control the Checkpoint Firewall but i am assured their crypto map is correct, and i know my cryptomap is correct. Has anyone had any experiences connecting to a checkpoint utm-1 edge firewall?
Thanks for any help
Ali
05-06-2008 07:00 AM
There are several issues that I can think of:
1- Phase 1 is complete means that your phase 1
is OK on both sides,
2- phase 2 fails because either crypto map on
your end is not correct or the encryption domain
on the checkpoint side is supernetting its
network and that your side does not like it.
What is the interesting traffics on your side
and what is the local encryption domain on
the checkpoint side? For example:
access-list 101 permit ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 192.168.100.0 0.0.0.255 10.0.1.0 0.0.0.255
as you can see on the checkpoint side, there
are two networks, 10.0.0.0/24 and 10.0.1.0/24.
Checkpoint, by default, will supernet these
two networks into 10.0.0.0/23 and send it to
to you during phase 2 negotiation thus failing
the VPN. There are workaround for this,
especially in NGx. This issue is well known
between Checkpoint and Cisco VPN.
The best way to confirm is to run "vpn debug
ikeon" on the checkpoint box and look at the
$FWDIR/log/ike.elg file with IKEView.exe
utility. It will tell you exactly where your
VPN fails. Checkpoint VPN debug utility
is about 100 times better than Cisco.
CCIE Security
05-06-2008 07:19 AM
Hi thanks for the response
i have one line crypto map which is:
access-list cryptomap extended permit ip host 10.0.0.87 10.0.10.0 255.255.255.0
so i'm allowing traffic from our server here 10.0.0.87 to their network 10.0.10.0/24
i did a 'dbug crypto isakmp 127' and eventually get the below:
May 06 14:23:01 [IKEv1]: Group = [Their Peer IP Address], IP = [Their Peer IP Address], Rejecting IPSec tunnel: no matching crypto map entry for remote proxy [Their Peer IP]/255.255.255.255/0/0 local proxy [My Peer Address]/255.255.255.255/0/0 on interface Outside
It confuses me why their peer IP is coming through and mine for the crypto map entry, shouldn't this be the internal IP's or am i reading this wrong? could this go back to the checkpoing issue you explained?
in the meantime i will have my contact perform the checkpoing debugs you've explained
Thankyou
Ali
05-07-2008 04:30 AM
On the UTM-Edge, in the VPN community
configuration setting, select vpn to exchange
key "per host" from the default of "per
subnet pair".
VPN will work after that.
CCIE Security
06-01-2015 06:34 AM
Many thanks cisco24x7, your answer solved the problem.
regards
Moez
03-29-2010 12:38 PM
Hello,
I am having a similar problem with a Checkpoint: UTM-1 Edge X (8.0.36x) and an ASA5510 (8.0.4)...
Tunnel starts ok from the ASA but if the Checkpoint tries to start the tunnel, the ASA denies the connection since the encryption domain it is receiving includes the outside addresses of both firewalls instead of the internal hosts (debug crypto ipsec 250).
I've asked to test bringin up the tunnel from the host itself and not from the firewall and I still see the same behaviour.
I found this thread and suggested the changes to them, but they tell me that the Firewall version they have is very limited and those options are not available,.
Is there anything else you may suggest to try ??
Thanks and regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: