I am trying to create an L2L connection from a 3K5 Concentrator to a vendor with a Checkpoint NGR55. At implementation this morning, we were able to access all NATed applications on their side, they weren't able to access ours. The message we saw on both sides was:
Received non-routine Notify message: Invalid ID info (18)
Which indicates mismatched attributes between the peers. These have been verified on both sides. We have our local network list specified as all of the individual hosts that are translated in the static NAT rules. For them, we have static translations and two global PATs...the network list for them specifies their entire /24 network that was used in the global PAT. My understanding is that the more specific network will be applied and if not found, the PAT will be used and I can see this happening in the event log.
Question 1.) Could this be a possible problem with why they can't connect to anything on our side?
Question 2.) The concentrator is menu driven, even from the CLI and I can't find a way to clear the SA when troubleshooting other than disabling and re-enabling the tunnel. I know on the ASA and PIX and I can do this for phase 1 and 2 from the CLI. Does disabling the tunnel on the 3K5 have the same result?
Any other ideas on why this is happening would be appreciated.
This is very likely that the Checkpoint is
doing suppernetting thus causing Phase 2
Quick mode error. I would do this on the
1- log into the checkpoint gateway,
2- "vpn tu" and delete the tunnel between
checkpoint and VPNc,
2- cd $FWDIR/log,
3- vpn debug trunc,
4- vpn debug ikeoff,
5- vpn debug ikeon,
6- Now initiate the connection from checkpoint
side. It will fail,
7- collect the ike.elg file and export it
to your desktop via scp or whatever,
8- Use a checkpoint tool called IKEView.exe
utility and open the ike.elg file.
This will tell you EXACTLY why the tunnel failed and why. It is very likely that
checkpoint is suppernetting its network and
send it over to VPNc, causing phase-II to
To resolve this problem, you will have
to modify the parameter "IKE_largest_possible_subnet" from "true" to "false" and also modify the user.def file as
The other solution is to upgrade to NGx so
that you have a option to negotiate "per
host" and have communication on both sides.
Sound easy right?