VPN Issues with WRV210 and Checkpoint

Unanswered Question
May 21st, 2010

Hi everyone..

I'm setting up an IPSec tunnel between your primary site (with checkpoint) and a customer, having an Cisco WRV210.

The tunnel is established, and working, since I can ping from our site, to the customer, but the customer LAN can't ping our setup.. here comes the setup

Customer LAN:

Our LAN:

Ping from to (wrv210 ip) - Succes

Ping from to - Fails

In my checkpoint log file, i can't see any icmp attempts, from our customer.

Since there is no log in the Cisco WRV210, other than to set up an syslog server, i can't see what it is doing.. I do not have any accessible PC on the remote site, to send logs to..

Do you guys have any idea, about whats wrong?

Any help is appreciated

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
MikkelNimand1 Fri, 05/21/2010 - 05:37


Here's are VPN Log from our customer

000   [Fri 07:15:08]  packet from xx.xx.xx.xx:500: ignoring unknown Vendor ID payload [f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d4bf6794c...]

001   [Fri 07:15:08]  "TunnelA" #4: responding to Main Mode

002   [Fri 07:15:08]  "TunnelA" #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

003   [Fri 07:15:08]  "TunnelA" #4: STATE_MAIN_R1: sent MR1, expecting MI2

004   [Fri 07:15:09]  "TunnelA" #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

005   [Fri 07:15:09]  "TunnelA" #4: STATE_MAIN_R2: sent MR2, expecting MI3

006   [Fri 07:15:09]  "TunnelA" #4: Main mode peer ID is ID_IPV4_ADDR: 'xx.xx.xx.xx'

007   [Fri 07:15:09]  "TunnelA" #4: I did not send a certificate because I do not have one.

008   [Fri 07:15:09]  "TunnelA" #4: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

009   [Fri 07:15:09]  "TunnelA" #4: [WRV210 Response:] ISAKMP SA established

010   [Fri 07:15:09]  "TunnelA" #4: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}

011   [Fri 07:15:09]  "TunnelA" #5: responding to Quick Mode {msgid:2973e856}

012   [Fri 07:15:09]  "TunnelA" #5: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

013   [Fri 07:15:09]  "TunnelA" #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2

014   [Fri 07:15:09]  "TunnelA" #5: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

015   [Fri 07:15:09]  "TunnelA" #5: [WRV210 Response:] IPSec SA established

016   [Fri 07:15:09]  "TunnelA" #5: STATE_QUICK_R2: IPsec SA established {ESP=>0x052096a9 <0x3a57f094 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}

017   [Fri 07:15:09]  "TunnelA" #5: discarding duplicate packet; already STATE_QUICK_R2

018   [Fri 07:15:10]  "TunnelA" #5: discarding duplicate packet; already STATE_QUICK_R2

Jennifer Halim Fri, 05/21/2010 - 16:34

If pings work one way, that means the VPN tunnel itself is up and running.

The issue is more than likely an access-list on the customer's side, not configuration on VPN tunnel.

MikkelNimand1 Mon, 05/24/2010 - 23:51

Hi halijenn,

Thanks for your reply.

I'm having the same thought, i just don't know where to configure the ACL on the Cisco WRV210.. I only have a limited web interface.. I Can't access any command line..


This Discussion