10-17-2008 06:44 AM
Configuration Type:
Site-Site VPN between ASA-5510 (version 8) and Checkpoint firewall
I've gotten layer 1 up and running, however, layer 2 is having problems. I've checked over settings 4 times and it all seems correct, my problem seems to be that it is encrypting traffic but not decrypting.
CFIP-5510ASA-Primary# show crypto ipsec sa
interface: outside
Crypto map tag: vpnmap, seq num: 10, local addr: 67.200.39.10
access-list planet2ndfirewall permit ip 10.0.20.0 255.255.255.0 192.168.30.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
current_peer: 209.62.74.253
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 67.200.39.10, remote crypto endpt.: 209.62.74.253
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 4BBBF828a
Thanks
10-17-2008 09:27 AM
check for routing of network 10.0.20.0 on the remote side (209.62.74.253 )where the packets are decrypting.
HTH
Saju
Pls arte helpful posts
10-17-2008 12:48 PM
This is what you need to do:
on the checkpoint side:
1- check routing,
2- run "vpn debug ikeoff", "vpn debug trunc", "vpn debug ikeon",
3- fw monitor -e -o pix.cap "accept src==67.200.39.10;"
This will allow to look at how these two devices negotiate with each other via ike.elg
file in step 2 and use wireshark to look at
the pix.cap file. You can see why it is not
working.
Easy right?
10-17-2008 01:24 PM
I hope so, thank you very much for pointing me in the right direction.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: