Site to Site VPN between Checkpoint NGX R65 and Cisco IOS

Unanswered Question
Jul 8th, 2010

Hi all,

I have read several guides on how to configure site-to-site VPN between Cisco and Checkpoint using pre-shared keys. The configuration is correct on Checkpoint side and as far as I know from Cisco as well.

The encryption policy is:

- 3DES - MD5 - DH Group 2 - 28800 seconds (Phase 1)

- 3DES - MD5 - DH Group 2 - 3600 seconds (Phase 2)

- Networks included are 10.240.0.0/22 and 192.168.252.0/24

Here is the debug output from Cisco IOS router:

2821-route#debug crypto isakmp

Crypto ISAKMP debugging is on

2821-route#debug crypto ipsec

Crypto IPSEC debugging is on

2821-route#debug crypto engine

Crypto Engine debugging is on

2821-route#

2821-route#

2821-route#

2821-route#

2821-route#

2821-route#

2821-route#

*Jul  8 09:06:58.975: ISAKMP (0:0): received packet from 192.168.100.10 dport 500 sport 500 Global (N) NEW SA

*Jul  8 09:06:58.975: ISAKMP: Created a peer struct for 192.168.100.10, peer port 500

*Jul  8 09:06:58.975: ISAKMP: New peer created peer = 0x4612D7B8 peer_handle = 0x8000003F

*Jul  8 09:06:58.975: ISAKMP: Locking peer struct 0x4612D7B8, refcount 1 for crypto_isakmp_process_block

*Jul  8 09:06:58.975: ISAKMP: local port 500, remote port 500

*Jul  8 09:06:58.975: insert sa successfully sa = 45C3E8B8

*Jul  8 09:06:58.975: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul  8 09:06:58.975: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Jul  8 09:06:58.975: ISAKMP:(0): processing SA payload. message ID = 0

*Jul  8 09:06:58.975: ISAKMP:(0): processing vendor id payload

*Jul  8 09:06:58.975: ISAKMP:(0): vendor ID seems Unity/DPD but major 175 mismatch

*Jul  8 09:06:58.975: ISAKMP:(0):found peer pre-shared key matching 192.168.100.10

*Jul  8 09:06:58.975: ISAKMP:(0): local preshared key found

*Jul  8 09:06:58.975: ISAKMP : Scanning profiles for xauth ...

*Jul  8 09:06:58.975: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy

*Jul  8 09:06:58.975: ISAKMP:      encryption 3DES-CBC

*Jul  8 09:06:58.975: ISAKMP:      hash MD5

*Jul  8 09:06:58.975: ISAKMP:      auth pre-share

*Jul  8 09:06:58.975: ISAKMP:      default group 2

*Jul  8 09:06:58.975: ISAKMP:      life type in seconds

*Jul  8 09:06:58.975: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80

*Jul  8 09:06:58.975: ISAKMP:(0):atts are acceptable. Next payload is 0

*Jul  8 09:06:58.975: ISAKMP:(0):Acceptable atts:actual life: 0

*Jul  8 09:06:58.975: ISAKMP:(0):Acceptable atts:life: 0

*Jul  8 09:06:58.975: ISAKMP:(0):Fill atts in sa vpi_length:4

*Jul  8 09:06:58.975: ISAKMP:(0):Fill atts in sa life_in_seconds:28800

*Jul  8 09:06:58.975: ISAKMP:(0):Returning Actual lifetime: 28800

*Jul  8 09:06:58.975: ISAKMP:(0)::Started lifetime timer: 28800.

*Jul  8 09:06:58.975: ISAKMP:(0): processing vendor id payload

*Jul  8 09:06:58.975: ISAKMP:(0): vendor ID seems Unity/DPD but major 175 mismatch

*Jul  8 09:06:58.975: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul  8 09:06:58.975: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Jul  8 09:06:58.975: ISAKMP:(0): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Jul  8 09:06:58.979: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jul  8 09:06:58.979: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul  8 09:06:58.979: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Jul  8 09:06:59.071: ISAKMP (0:0): received packet from 192.168.100.10 dport 500 sport 500 Global (R) MM_SA_SETUP

*Jul  8 09:06:59.071: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul  8 09:06:59.071: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

*Jul  8 09:06:59.071: ISAKMP:(0): processing KE payload. message ID = 0

*Jul  8 09:06:59.071: crypto_engine: Create DH shared secret

*Jul  8 09:06:59.103: ISAKMP:(0): processing NONCE payload. message ID = 0

*Jul  8 09:06:59.103: ISAKMP:(0):found peer pre-shared key matching 192.168.100.10

*Jul  8 09:06:59.103: crypto_engine: Create IKE SA

*Jul  8 09:06:59.103: crypto engine: deleting DH phase 2 SW:26

*Jul  8 09:06:59.103: crypto_engine: Delete DH shared secret

*Jul  8 09:06:59.103: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul  8 09:06:59.103: ISAKMP:(1019):Old State = IKE_R_MM3  New State = IKE_R_MM3

*Jul  8 09:06:59.103: ISAKMP:(1019): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Jul  8 09:06:59.103: ISAKMP:(1019):Sending an IKE IPv4 Packet.

*Jul  8 09:06:59.103: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul  8 09:06:59.103: ISAKMP:(1019):Old State = IKE_R_MM3  New State = IKE_R_MM4

*Jul  8 09:06:59.195: ISAKMP (0:1019): received packet from 192.168.100.10 dport 500 sport 500 Global (R) MM_KEY_EXCH

*Jul  8 09:06:59.195: crypto_engine: Decrypt IKE packet

*Jul  8 09:06:59.195: ISAKMP:(1019):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul  8 09:06:59.195: ISAKMP:(1019):Old State = IKE_R_MM4  New State = IKE_R_MM5

*Jul  8 09:06:59.199: ISAKMP:(1019): processing ID payload. message ID = 0

*Jul  8 09:06:59.199: ISAKMP (0:1019): ID payload

next-payload : 8

type         : 1

address      : 192.168.100.10

protocol     : 0

port         : 0

length       : 12

*Jul  8 09:06:59.199: ISAKMP:(0):: peer matches *none* of the profiles

*Jul  8 09:06:59.199: ISAKMP:(1019): processing HASH payload. message ID = 0

*Jul  8 09:06:59.199: crypto_engine: Generate IKE hash

*Jul  8 09:06:59.199: ISAKMP:(1019):SA authentication status:

authenticated

*Jul  8 09:06:59.199: ISAKMP:(1019):SA has been authenticated with 192.168.100.10

*Jul  8 09:06:59.199: ISAKMP: Trying to insert a peer 192.168.200.10/192.168.100.10/500/,  and inserted successfully 4612D7B8.

*Jul  8 09:06:59.199: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul  8 09:06:59.199: ISAKMP:(1019):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Jul  8 09:06:59.199: ISAKMP:(1019):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Jul  8 09:06:59.199: ISAKMP (0:1019): ID payload

next-payload : 8

type         : 1

address      : 192.168.200.10

protocol     : 17

port         : 500

length       : 12

*Jul  8 09:06:59.199: ISAKMP:(1019):Total payload length: 12

*Jul  8 09:06:59.199: crypto_engine: Generate IKE hash

*Jul  8 09:06:59.199: crypto_engine: Encrypt IKE packet

*Jul  8 09:06:59.199: ISAKMP:(1019): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Jul  8 09:06:59.199: ISAKMP:(1019):Sending an IKE IPv4 Packet.

*Jul  8 09:06:59.199: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul  8 09:06:59.199: ISAKMP:(1019):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Jul  8 09:06:59.199: ISAKMP:(1019):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Jul  8 09:06:59.199: ISAKMP:(1019):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Jul  8 09:06:59.287: ISAKMP (0:1019): received packet from 192.168.100.10 dport 500 sport 500 Global (R) QM_IDLE     

*Jul  8 09:06:59.287: ISAKMP: set new node 307071352 to QM_IDLE     

*Jul  8 09:06:59.287: crypto_engine: Decrypt IKE packet

*Jul  8 09:06:59.287: crypto_engine: Generate IKE hash

*Jul  8 09:06:59.287: ISAKMP:(1019): processing HASH payload. message ID = 307071352

*Jul  8 09:06:59.287: ISAKMP:(1019): processing SA payload. message ID = 307071352

*Jul  8 09:06:59.287: ISAKMP:(1019):Checking IPSec proposal 1

*Jul  8 09:06:59.287: ISAKMP: transform 1, ESP_3DES

*Jul  8 09:06:59.287: ISAKMP:   attributes in transform:

*Jul  8 09:06:59.287: ISAKMP:      group is 2

*Jul  8 09:06:59.287: ISAKMP:      SA life type in seconds

*Jul  8 09:06:59.287: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10

*Jul  8 09:06:59.287: ISAKMP:      authenticator is HMAC-MD5

*Jul  8 09:06:59.287: ISAKMP:      encaps is 1 (Tunnel)

*Jul  8 09:06:59.287: ISAKMP:(1019):atts are acceptable.

*Jul  8 09:06:59.287: IPSEC(validate_proposal_request): proposal part #1

*Jul  8 09:06:59.287: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 192.168.200.10, remote= 192.168.100.10,

    local_proxy= 10.240.1.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 192.168.252.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Jul  8 09:06:59.287: Crypto mapdb : proxy_match

src addr     : 10.240.1.0

dst addr     : 192.168.252.0

protocol     : 0

src port     : 0

dst port     : 0

*Jul  8 09:06:59.287: ISAKMP:(1019): processing NONCE payload. message ID = 307071352

*Jul  8 09:06:59.287: ISAKMP:(1019): processing KE payload. message ID = 307071352

*Jul  8 09:06:59.287: crypto_engine: Create DH shared secret

*Jul  8 09:06:59.319: ISAKMP:(1019): processing ID payload. message ID = 307071352

*Jul  8 09:06:59.319: ISAKMP:(1019): processing ID payload. message ID = 307071352

*Jul  8 09:06:59.319: ISAKMP:(1019):QM Responder gets spi

*Jul  8 09:06:59.319: ISAKMP:(1019):Node 307071352, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Jul  8 09:06:59.319: ISAKMP:(1019):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE

*Jul  8 09:06:59.319: crypto_engine: Generate IKE hash

*Jul  8 09:06:59.319: crypto_engine: Generate IKE QM keys

*Jul  8 09:06:59.319: crypto_engine: Create IPSec SA (by keys)

*Jul  8 09:06:59.319: crypto_engine: Generate IKE QM keys

*Jul  8 09:06:59.319: crypto_engine: Create IPSec SA (by keys)

*Jul  8 09:06:59.319: crypto engine: deleting DH phase 2 SW:27

*Jul  8 09:06:59.319: crypto_engine: Delete DH shared secret

*Jul  8 09:06:59.319: crypto engine: deleting DH SW:25

*Jul  8 09:06:59.319: ISAKMP:(1019): Creating IPSec SAs

*Jul  8 09:06:59.323:         inbound SA from 192.168.100.10 to 192.168.200.10 (f/i)  0/ 0

        (proxy 192.168.252.0 to 10.240.1.0)

*Jul  8 09:06:59.323:         has spi 0xFC7E44FA and conn_id 0

*Jul  8 09:06:59.323:         lifetime of 3600 seconds

*Jul  8 09:06:59.323:         outbound SA from 192.168.200.10 to 192.168.100.10 (f/i) 0/0

        (proxy 10.240.1.0 to 192.168.252.0)

*Jul  8 09:06:59.323:         has spi  0x61C47149 and conn_id 0

*Jul  8 09:06:59.323:         lifetime of 3600 seconds

*Jul  8 09:06:59.323: crypto_engine: Encrypt IKE packet

*Jul  8 09:06:59.323: ISAKMP:(1019): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) QM_IDLE     

*Jul  8 09:06:59.323: ISAKMP:(1019):Sending an IKE IPv4 Packet.

*Jul  8 09:06:59.323: ISAKMP:(1019):Node 307071352, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI

*Jul  8 09:06:59.323: ISAKMP:(1019):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2

*Jul  8 09:06:59.323: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Jul  8 09:06:59.323: Crypto mapdb : proxy_match

src addr     : 10.240.1.0

dst addr     : 192.168.252.0

protocol     : 0

src port     : 0

dst port     : 0

*Jul  8 09:06:59.323: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 192.168.100.10

*Jul  8 09:06:59.323: IPSEC(create_sa): sa created,

  (sa) sa_dest= 192.168.200.10, sa_proto= 50,

    sa_spi= 0xFC7E44FA(4236133626),

    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2223

*Jul  8 09:06:59.323: IPSEC(create_sa): sa created,

  (sa) sa_dest= 192.168.100.10, sa_proto= 50,

    sa_spi= 0x61C47149(1640264009),

    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2224

*Jul  8 09:06:59.323: crypto engine: updating MTU size of IPSec SA NETGX:224

*Jul  8 09:06:59.323: crypto_engine: Set IPSec MTU

*Jul  8 09:06:59.327: crypto_engine: Create DH

*Jul  8 09:06:59.351: crypto_engine: Delete DH

*Jul  8 09:06:59.419: ISAKMP (0:1019): received packet from 192.168.100.10 dport 500 sport 500 Global (R) QM_IDLE     

*Jul  8 09:06:59.419: crypto_engine: Decrypt IKE packet

*Jul  8 09:06:59.419: crypto_engine: Generate IKE hash

*Jul  8 09:06:59.419: ISAKMP:(1019):deleting node 307071352 error FALSE reason "QM done (await)"

*Jul  8 09:06:59.419: ISAKMP:(1019):Node 307071352, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Jul  8 09:06:59.419: ISAKMP:(1019):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

*Jul  8 09:06:59.419: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Jul  8 09:06:59.423: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP

*Jul  8 09:06:59.423: IPSEC(key_engine_enable_outbound): enable SA with spi 1640264009/50

*Jul  8 09:06:59.423: IPSEC(update_current_outbound_sa): updated peer 192.168.100.10 current outbound sa to SPI 61C47149

*Jul  8 09:06:59.547: ISAKMP (0:1019): received packet from 192.168.100.10 dport 500 sport 500 Global (R) QM_IDLE     

*Jul  8 09:06:59.547: ISAKMP:(1019): phase 2 packet is a duplicate of a previous packet.

*Jul  8 09:06:59.547: ISAKMP:(1019): retransmitting due to retransmit phase 2

*Jul  8 09:06:59.547: ISAKMP:(1019): ignoring retransmission,because phase2 node marked dead 307071352

*Jul  8 09:06:59.631: ISAKMP (0:1019): received packet from 192.168.100.10 dport 500 sport 500 Global (R) QM_IDLE     

*Jul  8 09:06:59.631: ISAKMP:(1019): phase 2 packet is a duplicate of a previous packet.

*Jul  8 09:06:59.631: ISAKMP:(1019): retransmitting due to retransmit phase 2

*Jul  8 09:06:59.631: ISAKMP:(1019): ignoring retransmission,because phase2 node marked dead 307071352

Here is the configuration:

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key KEY address 192.168.100.10

!

!

crypto ipsec transform-set DR esp-3des esp-md5-hmac

crypto ipsec transform-set strong esp-3des esp-sha-hmac

!

crypto map CISCO 101 ipsec-isakmp

set peer 192.168.100.10

set transform-set DR

set pfs group2

match address 103

access-list 103 permit ip 10.240.0.0 0.0.3.255 192.168.252.0 0.0.0.255

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Momchil Valkov Thu, 07/08/2010 - 02:56

Hi,

Is the remote peer (CheckPoint) single box or a clustered ?

Have you noticed if this issue occures when only one WS is using the VPN tunnel ?

If possible debug with only one WS and one flow (one destination) and monitor the

IPSEC SA's for it, then introduce another flow (another destination or second WS) and

see the IPSEC SA's associated. I've seen similar behaviour, when Checkpoint behaves

as it's configured to build SA's per host, no matter what you configure on it, and as per

default, cisco is building per network (per entries in access list with 'interesting' traffic).

The last can be easily verified by changing the behaviour if cisco for per host IPSEC SA's:

set security-association  level per-host in crypto map configuration.

The other options you can check is if there is packet loss between the peers, causing

packet retransmission,or high network latency, causing the same, after timers get expired.

I would expect that the esp/udp flows are filtered only to those predefined peers, excluding

other fake peers to sent bulk 'vpn' traffic.

predrag2006 Thu, 07/08/2010 - 03:14

hi,

the remote peer is Checkpoint ClusterXL running in unicast mode. So to give more detailed information:

1) I have configured Sticky Connections and load-sharing based on IPs so all connections are persistent.

2) I have configured max subnets for range and peer so I cannot have supernetting or something similar.

3) I have disabled to send the largest possible subnet for phase 2.

4) The configuration of the community is to use per-subnet and not per-host.

So I can see that we do not have any issues from Checkpoint side. I am seeing the same errors again. I have reconfigured both ends to use per-host security association but the problem has not disappeared.

predrag

predrag2006 Thu, 07/08/2010 - 03:24

Hi,

I have configured only one subnet and the behavior is set one VPN tunnel per-subnet.

Here is the debug output:

2821-route#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

192.168.200.10 192.168.100.10   QM_IDLE           1026    0 ACTIVE

IPv6 Crypto ISAKMP SA

2821-route#

*Jul  8 10:18:37.943: ISAKMP (0:0): received packet from 192.168.100.10 dport 500 sport 500 Global (N) NEW SA

*Jul  8 10:18:37.943: ISAKMP: Found a peer struct for 192.168.100.10, peer port 500

*Jul  8 10:18:37.943: ISAKMP: Locking peer struct 0x45C4038C, refcount 2 for crypto_isakmp_process_block

*Jul  8 10:18:37.943: ISAKMP: local port 500, remote port 500

*Jul  8 10:18:37.943: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 462FF6D8

*Jul  8 10:18:37.943: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul  8 10:18:37.943: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Jul  8 10:18:37.943: ISAKMP:(0): processing SA payload. message ID = 0

*Jul  8 10:18:37.943: ISAKMP:(0): processing vendor id payload

*Jul  8 10:18:37.943: ISAKMP:(0): vendor ID seems Unity/DPD but major 175 mismatch

*Jul  8 10:18:37.943: ISAKMP:(0):found peer pre-shared key matching 192.168.100.10

*Jul  8 10:18:37.943: ISAKMP:(0): local preshared key found

*Jul  8 10:18:37.943: ISAKMP : Scanning profiles for xauth ...

*Jul  8 10:18:37.943: ISAKMP:(0):Checking ISAKMP transform 1 against priority 5 policy

*Jul  8 10:18:37.943: ISAKMP:      encryption 3DES-CBC

*Jul  8 10:18:37.943: ISAKMP:      hash MD5

*Jul  8 10:18:37.943: ISAKMP:      auth pre-share

*Jul  8 10:18:37.943: ISAKMP:      default group 2

*Jul  8 10:18:37.943: ISAKMP:      life type in seconds

*Jul  8 10:18:37.943: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80

*Jul  8 10:18:37.943: ISAKMP:(0):atts are acceptable. Next payload is 0

*Jul  8 10:18:37.943: ISAKMP:(0):Acceptable atts:actual life: 0

*Jul  8 10:18:37.943: ISAKMP:(0):Acceptable atts:life: 0

*Jul  8 10:18:37.943: ISAKMP:(0):Fill atts in sa vpi_length:4

*Jul  8 10:18:37.943: ISAKMP:(0):Fill atts in sa life_in_seconds:28800

*Jul  8 10:18:37.943: ISAKMP:(0):Returning Actual lifetime: 28800

*Jul  8 10:18:37.943: ISAKMP:(0)::Started lifetime timer: 28800.

*Jul  8 10:18:37.943: ISAKMP:(0): processing vendor id payload

*Jul  8 10:18:37.943: ISAKMP:(0): vendor ID seems Unity/DPD but major 175 mismatch

*Jul  8 10:18:37.943: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul  8 10:18:37.943: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Jul  8 10:18:37.947: ISAKMP:(0): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Jul  8 10:18:37.947: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Jul  8 10:18:37.947: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul  8 10:18:37.947: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Jul  8 10:18:38.043: ISAKMP (0:0): received packet from 192.168.100.10 dport 500 sport 500 Global (R) MM_SA_SETUP

*Jul  8 10:18:38.043: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul  8 10:18:38.043: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

*Jul  8 10:18:38.043: ISAKMP:(0): processing KE payload. message ID = 0

*Jul  8 10:18:38.043: crypto_engine: Create DH shared secret

*Jul  8 10:18:38.075: ISAKMP:(0): processing NONCE payload. message ID = 0

*Jul  8 10:18:38.075: ISAKMP:(0):found peer pre-shared key matching 192.168.100.10

*Jul  8 10:18:38.075: crypto_engine: Create IKE SA

*Jul  8 10:18:38.075: crypto engine: deleting DH phase 2 SW:35

*Jul  8 10:18:38.075: crypto_engine: Delete DH shared secret

*Jul  8 10:18:38.075: ISAKMP:(1029):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul  8 10:18:38.075: ISAKMP:(1029):Old State = IKE_R_MM3  New State = IKE_R_MM3

*Jul  8 10:18:38.075: ISAKMP:(1029): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Jul  8 10:18:38.075: ISAKMP:(1029):Sending an IKE IPv4 Packet.

*Jul  8 10:18:38.075: ISAKMP:(1029):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul  8 10:18:38.075: ISAKMP:(1029):Old State = IKE_R_MM3  New State = IKE_R_MM4

*Jul  8 10:18:38.127: ISAKMP (0:1029): received packet from 192.168.100.10 dport 500 sport 500 Global (R) MM_KEY_EXCH

*Jul  8 10:18:38.127: crypto_engine: Decrypt IKE packet

*Jul  8 10:18:38.127: ISAKMP:(1029):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Jul  8 10:18:38.127: ISAKMP:(1029):Old State = IKE_R_MM4  New State = IKE_R_MM5

*Jul  8 10:18:38.127: ISAKMP:(1029): processing ID payload. message ID = 0

*Jul  8 10:18:38.127: ISAKMP (0:1029): ID payload

next-payload : 8

type         : 1

address      : 192.168.100.10

protocol     : 0

port         : 0

length       : 12

*Jul  8 10:18:38.127: ISAKMP:(0):: peer matches *none* of the profiles

*Jul  8 10:18:38.127: ISAKMP:(1029): processing HASH payload. message ID = 0

*Jul  8 10:18:38.127: crypto_engine: Generate IKE hash

*Jul  8 10:18:38.127: ISAKMP:(1029):SA authentication status:

authenticated

*Jul  8 10:18:38.127: ISAKMP:(1029):SA has been authenticated with 192.168.100.10

*Jul  8 10:18:38.127: ISAKMP:(1029):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Jul  8 10:18:38.127: ISAKMP:(1029):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Jul  8 10:18:38.127: ISAKMP:(1029):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Jul  8 10:18:38.127: ISAKMP (0:1029): ID payload

next-payload : 8

type         : 1

address      : 192.168.200.10

protocol     : 17

port         : 500

length       : 12

*Jul  8 10:18:38.127: ISAKMP:(1029):Total payload length: 12

*Jul  8 10:18:38.127: crypto_engine: Generate IKE hash

*Jul  8 10:18:38.127: crypto_engine: Encrypt IKE packet

*Jul  8 10:18:38.131: ISAKMP:(1029): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Jul  8 10:18:38.131: ISAKMP:(1029):Sending an IKE IPv4 Packet.

*Jul  8 10:18:38.131: ISAKMP:(1029):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Jul  8 10:18:38.131: ISAKMP:(1029):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Jul  8 10:18:38.131: ISAKMP:(1029):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Jul  8 10:18:38.131: ISAKMP:(1029):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Jul  8 10:18:38.227: ISAKMP (0:1029): received packet from 192.168.100.10 dport 500 sport 500 Global (R) QM_IDLE     

*Jul  8 10:18:38.227: ISAKMP: set new node 74112823 to QM_IDLE     

*Jul  8 10:18:38.227: crypto_engine: Decrypt IKE packet

*Jul  8 10:18:38.227: crypto_engine: Generate IKE hash

*Jul  8 10:18:38.227: ISAKMP:(1029): processing HASH payload. message ID = 74112823

*Jul  8 10:18:38.227: ISAKMP:(1029): processing SA payload. message ID = 74112823

*Jul  8 10:18:38.227: ISAKMP:(1029):Checking IPSec proposal 1

*Jul  8 10:18:38.227: ISAKMP: transform 1, ESP_3DES

*Jul  8 10:18:38.227: ISAKMP:   attributes in transform:

*Jul  8 10:18:38.227: ISAKMP:      group is 2

*Jul  8 10:18:38.227: ISAKMP:      SA life type in seconds

*Jul  8 10:18:38.227: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0xE 0x10

*Jul  8 10:18:38.227: ISAKMP:      authenticator is HMAC-MD5

*Jul  8 10:18:38.227: ISAKMP:      encaps is 1 (Tunnel)

*Jul  8 10:18:38.227: ISAKMP:(1029):atts are acceptable.

*Jul  8 10:18:38.227: IPSEC(validate_proposal_request): proposal part #1

*Jul  8 10:18:38.227: IPSEC(validate_proposal_request): proposal part #1,

  (key eng. msg.) INBOUND local= 192.168.200.10, remote= 192.168.100.10,

    local_proxy= 10.240.1.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 192.168.252.0/255.255.255.0/0/0 (type=4),

    protocol= ESP, transform= NONE  (Tunnel),

    lifedur= 0s and 0kb,

    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Jul  8 10:18:38.227: Crypto mapdb : proxy_match

src addr     : 10.240.1.0

dst addr     : 192.168.252.0

protocol     : 0

src port     : 0

dst port     : 0

*Jul  8 10:18:38.227: ISAKMP:(1029): processing NONCE payload. message ID = 74112823

*Jul  8 10:18:38.227: ISAKMP:(1029): processing KE payload. message ID = 74112823

*Jul  8 10:18:38.227: crypto_engine: Create DH shared secret

*Jul  8 10:18:38.259: ISAKMP:(1029): processing ID payload. message ID = 74112823

*Jul  8 10:18:38.259: ISAKMP:(1029): processing ID payload. message ID = 74112823

*Jul  8 10:18:38.259: ISAKMP:(1029):QM Responder gets spi

*Jul  8 10:18:38.259: ISAKMP:(1029):Node 74112823, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Jul  8 10:18:38.259: ISAKMP:(1029):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE

*Jul  8 10:18:38.259: crypto_engine: Generate IKE hash

*Jul  8 10:18:38.259: crypto_engine: Generate IKE QM keys

*Jul  8 10:18:38.259: crypto_engine: Create IPSec SA (by keys)

*Jul  8 10:18:38.259: crypto_engine: Generate IKE QM keys

*Jul  8 10:18:38.259: crypto_engine: Create IPSec SA (by keys)

*Jul  8 10:18:38.259: crypto engine: deleting DH phase 2 SW:36

*Jul  8 10:18:38.259: crypto_engine: Delete DH shared secret

*Jul  8 10:18:38.259: crypto engine: deleting DH SW:34

*Jul  8 10:18:38.259: ISAKMP:(1029): Creating IPSec SAs

*Jul  8 10:18:38.259:         inbound SA from 192.168.100.10 to 192.168.200.10 (f/i)  0/ 0

        (proxy 192.168.252.0 to 10.240.1.0)

*Jul  8 10:18:38.259:         has spi 0x4052249 and conn_id 0

*Jul  8 10:18:38.259:         lifetime of 3600 seconds

*Jul  8 10:18:38.259:         outbound SA from 192.168.200.10 to 192.168.100.10 (f/i) 0/0

        (proxy 10.240.1.0 to 192.168.252.0)

*Jul  8 10:18:38.259:         has spi  0x16FE7BBB and conn_id 0

*Jul  8 10:18:38.259:         lifetime of 3600 seconds

*Jul  8 10:18:38.259: crypto_engine: Encrypt IKE packet

*Jul  8 10:18:38.263: ISAKMP:(1029): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) QM_IDLE     

*Jul  8 10:18:38.263: ISAKMP:(1029):Sending an IKE IPv4 Packet.

*Jul  8 10:18:38.263: ISAKMP:(1029):Node 74112823, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI

*Jul  8 10:18:38.263: ISAKMP:(1029):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2

*Jul  8 10:18:38.263: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Jul  8 10:18:38.263: Crypto mapdb : proxy_match

src addr     : 10.240.1.0

dst addr     : 192.168.252.0

protocol     : 0

src port     : 0

dst port     : 0

*Jul  8 10:18:38.263: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 192.168.100.10

*Jul  8 10:18:38.263: IPSEC(create_sa): sa created,

  (sa) sa_dest= 192.168.200.10, sa_proto= 50,

    sa_spi= 0x4052249(67445321),

    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2267

*Jul  8 10:18:38.263: IPSEC(create_sa): sa created,

  (sa) sa_dest= 192.168.100.10, sa_proto= 50,

    sa_spi= 0x16FE7BBB(385776571),

    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2268

*Jul  8 10:18:38.263: crypto engine: updating MTU size of IPSec SA NETGX:268

*Jul  8 10:18:38.263: crypto_engine: Set IPSec MTU

*Jul  8 10:18:38.263: IPSEC(early_age_out_sibling): sibling outbound SPI 5595E401 expiring in 30 seconds

*Jul  8 10:18:38.263: ISAKMP: set new node 2098796805 to QM_IDLE     

*Jul  8 10:18:38.263: crypto_engine: Generate IKE hash

*Jul  8 10:18:38.263: crypto_engine: Encrypt IKE packet

*Jul  8 10:18:38.263: ISAKMP:(1029): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) QM_IDLE     

*Jul  8 10:18:38.263: ISAKMP:(1029):Sending an IKE IPv4 Packet.

*Jul  8 10:18:38.263: ISAKMP:(1029):purging node 2098796805

*Jul  8 10:18:38.263: ISAKMP:(1029):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL

*Jul  8 10:18:38.263: ISAKMP:(1029):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Jul  8 10:18:38.267: crypto_engine: Create DH

*Jul  8 10:18:38.291: crypto_engine: Delete DH

*Jul  8 10:18:38.331: ISAKMP (0:1029): received packet from 192.168.100.10 dport 500 sport 500 Global (R) QM_IDLE     

*Jul  8 10:18:38.331: crypto_engine: Decrypt IKE packet

*Jul  8 10:18:38.331: crypto_engine: Generate IKE hash

*Jul  8 10:18:38.331: ISAKMP:(1029):deleting node 74112823 error FALSE reason "QM done (await)"

*Jul  8 10:18:38.331: ISAKMP:(1029):Node 74112823, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Jul  8 10:18:38.331: ISAKMP:(1029):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

*Jul  8 10:18:38.331: IPSEC(key_engine): got a queue event with 1 KMI message(s)

*Jul  8 10:18:38.331: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP

*Jul  8 10:18:38.331: IPSEC(key_engine_enable_outbound): enable SA with spi 385776571/50

*Jul  8 10:18:38.331: IPSEC(update_current_outbound_sa): updated peer 192.168.100.10 current outbound sa to SPI 16FE7BBB

*Jul  8 10:18:38.443: ISAKMP (0:1029): received packet from 192.168.100.10 dport 500 sport 500 Global (R) QM_IDLE     

*Jul  8 10:18:38.443: ISAKMP:(1029): phase 2 packet is a duplicate of a previous packet.

*Jul  8 10:18:38.443: ISAKMP:(1029): retransmitting due to retransmit phase 2

*Jul  8 10:18:38.443: ISAKMP:(1029): ignoring retransmission,because phase2 node marked dead 74112823

*Jul  8 10:18:38.531: ISAKMP (0:1029): received packet from 192.168.100.10 dport 500 sport 500 Global (R) QM_IDLE     

*Jul  8 10:18:38.531: ISAKMP:(1029): phase 2 packet is a duplicate of a previous packet.

*Jul  8 10:18:38.531: ISAKMP:(1029): retransmitting due to retransmit phase 2

*Jul  8 10:18:38.531: ISAKMP:(1029): ignoring retransmission,because phase2 node marked dead 74112823

*Jul  8 10:19:08.263: IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= 192.168.200.10, sa_proto= 50,

    sa_spi= 0x4917DCEE(1226300654),

    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2263,

  (identity) local= 192.168.200.10, remote= 192.168.100.10,

    local_proxy= 10.240.1.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 192.168.252.0/255.255.255.0/0/0 (type=4)

*Jul  8 10:19:08.263: crypto engine: deleting IPSec SA NETGX:263

*Jul  8 10:19:08.263: crypto_engine: Delete IPSec SA

*Jul  8 10:19:08.263: IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= 192.168.100.10, sa_proto= 50,

    sa_spi= 0x5595E401(1435886593),

    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2264,

  (identity) local= 192.168.200.10, remote= 192.168.100.10,

    local_proxy= 10.240.1.0/255.255.255.0/0/0 (type=4),

    remote_proxy= 192.168.252.0/255.255.255.0/0/0 (type=4)

*Jul  8 10:19:08.263: crypto engine: deleting IPSec SA NETGX:264

*Jul  8 10:19:08.263: ISAKMP: set new node 1543518040 to QM_IDLE     

*Jul  8 10:19:08.263: crypto_engine: Generate IKE hash

*Jul  8 10:19:08.263: crypto_engine: Encrypt IKE packet

*Jul  8 10:19:08.263: ISAKMP:(1029): sending packet to 192.168.100.10 my_port 500 peer_port 500 (R) QM_IDLE     

*Jul  8 10:19:08.263: ISAKMP:(1029):Sending an IKE IPv4 Packet.

*Jul  8 10:19:08.263: ISAKMP:(1029):purging node 1543518040

*Jul  8 10:19:08.263: ISAKMP:(1029):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL

*Jul  8 10:19:08.263: ISAKMP:(1029):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Jul  8 10:19:08.263: crypto_engine: Delete IPSec SA

*Jul  8 10:19:28.331: ISAKMP:(1029):purging node 74112823

Momchil Valkov Thu, 07/08/2010 - 05:10

Hi,

Can you make sure that the ACLs for the 'interesting' traffic for that specific tunnel

are matching (mirrored direction of course). One other thing, which might shed some

light about the P2 negotiation is to increase the debug verbosity to 20+.

predrag2006 Thu, 07/08/2010 - 05:37

Hi,

The point is that we have only one ACL in the crypto access list. I have narrowed it down to only one /24 subnet between both peers.

Predrag

Momchil Valkov Thu, 07/08/2010 - 06:00

yes, on cisco's side is access-list, and checkpoint this is configured as network objects, but those

should match exctly - network and mask, just mirrored directions - source in 1st peer is destionation

on 2nd peer and vice versa.

predrag2006 Mon, 07/12/2010 - 09:12

do you have any other suggestions since I believe this is an IOS issue, it works normally with previos versions...

cciesec2011 Mon, 07/12/2010 - 18:45

can  you include the "fw ver" on the CP NGx R65 and "show ver" on the Cisco IOS?    I can test and tell you if it is an IOS issue in the next 24 hours.

You can also use "vpn debug ikeon" on the Checkpoint firewall and view the $FWDIR/log/ike.elg file with IKEView.exe file.  It will tell you where things

go wrong.

Furthermore, are  you running HFA_70 on the NGx R65 firewall?

predrag2006 Tue, 07/13/2010 - 00:25

Hi,

2821-route#show ver

Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2008 by Cisco Systems, Inc.

Compiled Wed 13-Aug-08 17:09 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T11, RELEASE SOFTWARE (fc1)

2821-route uptime is 29 weeks, 4 days, 20 hours, 6 minutes

System returned to ROM by reload at 11:13:16 UTC Thu Dec 17 2009

System image file is "flash:c2800nm-advsecurityk9-mz.124-15.T7.bin"

[fw-gate1]# fw ver

This is Check Point VPN-1(TM) & FireWall-1(R) NGX (R65) HFA_70, Hotfix 670 - Build 033

EDIT:

I have also contacted Checkpoint support and they said everything is normal from Checkpoint side.

cciesec2011 Wed, 07/14/2010 - 03:09

I am sadly to report that I have been able to reproduce your issue with the same IOS version you described.  As soon as I downgraded to an older version, the issue goes away.  Must be a bug in IOS train

predrag2006 Wed, 07/14/2010 - 06:13

which IOS version would you recommend to use ? on which one you were able to establish the vpn tunnel ?

Actions

This Discussion