l2l VPN between ASA5510 -- Checkpoint

Unanswered Question
Oct 17th, 2008
User Badges:

Configuration Type:


Site-Site VPN between ASA-5510 (version 8) and Checkpoint firewall


I've gotten layer 1 up and running, however, layer 2 is having problems. I've checked over settings 4 times and it all seems correct, my problem seems to be that it is encrypting traffic but not decrypting.


CFIP-5510ASA-Primary# show crypto ipsec sa

interface: outside

Crypto map tag: vpnmap, seq num: 10, local addr: 67.200.39.10


access-list planet2ndfirewall permit ip 10.0.20.0 255.255.255.0 192.168.30.0 255.255.255.0

local ident (addr/mask/prot/port): (10.0.20.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)

current_peer: 209.62.74.253


#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0


local crypto endpt.: 67.200.39.10, remote crypto endpt.: 209.62.74.253


path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 4BBBF828a



Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
singhsaju Fri, 10/17/2008 - 09:27
User Badges:
  • Silver, 250 points or more

check for routing of network 10.0.20.0 on the remote side (209.62.74.253 )where the packets are decrypting.


HTH

Saju

Pls arte helpful posts

cisco24x7 Fri, 10/17/2008 - 12:48
User Badges:
  • Silver, 250 points or more

This is what you need to do:


on the checkpoint side:


1- check routing,

2- run "vpn debug ikeoff", "vpn debug trunc", "vpn debug ikeon",

3- fw monitor -e -o pix.cap "accept src==67.200.39.10;"


This will allow to look at how these two devices negotiate with each other via ike.elg

file in step 2 and use wireshark to look at

the pix.cap file. You can see why it is not

working.


Easy right?

vtra Fri, 10/17/2008 - 13:24
User Badges:

I hope so, thank you very much for pointing me in the right direction.

Actions

This Discussion