Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
3
Replies

ASA 5545 l2l tunnel with Checkpoint Firewall won't re-establish tunnel

michaelspangenberg
Level 1
Level 1

‎09-29-2015 12:46 PM

I'm trying to get a Site to Site VPN tunnel with a Checkpoint Firewall.  I have configured the vpn and it was established the first time.  After some time of no use the tunnel was dropped but it didn't start again with interesting traffic.  I reloaded the firewall and the tunnel was established again.  I'm kind of new, but is there a retransmit configuration that would be causing an issue.  When I restart the traffic I don't even see it intitiating phase one with the key exchange (ikev2).

Thanks,

M

Labels:
0 Helpful
3 Replies 3

pjain2
Cisco Employee
Cisco Employee

‎09-29-2015 05:40 PM

What is your ASA's version?

please attach the running config of the ASA; also please mention what are the debugs that you apply when you try to bring up the tunnel

0 Helpful

michaelspangenberg
Level 1
Level 1
In response to pjain2

‎09-30-2015 05:54 AM

ASA Version - 9.2(2)4

access-list VPN_SYP extended permit ip object ************* object-group *********

crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association pmtu-aging infinite
crypto map VPN 300 match address VPN_SYP
crypto map VPN 300 set peer ************
crypto map VPN 300 set ikev2 ipsec-proposal AES256

group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-clientless
tunnel-group ******** type ipsec-l2l
tunnel-group ******** ipsec-attributes
 ikev1 pre-shared-key ************
 ikev2 remote-authentication pre-shared-key *********
 ikev2 local-authentication pre-shared-key **********

 

I have on:

 

debug crypto ikev2 protocol

0 Helpful

Florin Barhala
Level 6
Level 6
In response to michaelspangenberg

‎10-06-2015 06:24 AM

I have not done any ike v2 VPNs still I have two things to mention:

1. what's this line here:  ikev1 pre-shared-key 
2. check also on Checkpoint side; ikev2 is supported for some time now, but not that popular as far as I know so you either deep dive and tshoot this config, or you can ask to switch it to ikev1? Anyway I would look after the software version used by the Checkpoint appliance and what his SmartViewTracker shows in the logs. There's also extensive IKE debug on Checkpoint and the output file has a dedicated VPN interpreter that usually show's what's the deal. 

0 Helpful
Customers Also Viewed These Support Documents