How to configure an IPsec tunnel between a Cisco router and a Checkpoint Firewall

Document

Jun 22, 2009 6:17 PM
Jun 22nd, 2009

Resolution

Complete these steps to set up the IPsec VPN tunnel:

1.  Configure the Internet Key Exchange (IKE) proposal on both devices.

2.  Configure the IPsec parameters on both devices.

3.  Specify network ranges on both devices for passing traffic across the proposed tunnel.

For assistance with the configuration settings, resolving an IPsec tunnel between a Cisco router and Checkpoint Firewall as well as specific debug setting information, refer to Configuring an IPSec Tunnel Between a Cisco Router and a Checkpoint NG.

Once the tunnel is configured, attempt to pass traffic from a workstation on one side of the connection to a workstation on the other side of the connection. If you are able to ping, the tunnel is functioning properly. If you are not able to ping, determine the state of the connection by issuing the 
show crypto isakmp sa and show crypto ipsec sa commands on the PIX Firewall.

If the show crypto isakmp sa command output shows anything other than QM_IDLE in the state, then phase 1 (Internet Security Association and Key Management Protocol [ISAKMP]) has not been properly negotiated and should be examined.

The results should resemble this example:

cisco_endpoint#show crypto isakmp sa

  dst src state pending created

172.18.124.157  172.18.124.35 QM_IDLE 0 2

The show crypto ipsec sa command identifies information about phase 2 of the connection (IPsec).

The proper peer and local endpoint for the tunnel should be identified. Furthermore, if traffic has been passed across the tunnel, the counters for both pkts encaps and pkts decaps should be incrementing. If either value is not incrementing, a determination can usually be made as to which side of the tunnel is having difficulty.

Given below  is a portion of the command output:

cisco_endpoint#show crypto ipsec sa
interface: outside
Crypto map tag: rtpmap, local addr. 172.18.124.158
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 172.18.124.157
PERMIT, flags={origin_is_acl,}
#pkts encaps: 20, #pkts encrypt: 20, #pkts digest 20
#pkts decaps: 20, #pkts decrypt: 20, #pkts verify 20
#pkts compressed: 20, #pkts decompressed: 20
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

Problem Type

How to (General Information)

Product Family

Routers

Average Rating: 0 (0 ratings)

Actions

Login or Register to take actions

This Document

Posted June 22, 2009 at 6:17 PM
Stats:
Comments:0 Avg. Rating:0
Views:1990 Contributors:0
Shares:0

Related Content

Documents Leaderboard