Hi there, we have an ASA 5510 and have a VPN to a 3rd party who use a Checkpoint R62 Secure Platform with 4.1 Nokia IPSO and there are a few problems with the VPN establishment.
We know there are lifetime differences and have set according the 3rd parties specifications, we have had issues in the past with Checkpoint devices but with this one we quite often see the tunnel come up, traffic passes from our network to their with response back but they cannot access our network.
Are there any Cisco documents about compatability issues or similar? In terms of config changes we are pretty certain ours is fine as the VPN eventually stabilises and they can send traffic too so the lifetimes and all other authentication and encryption should be ok.
Thanks for the link Dandy, our side of the config is basically the same with obvious changes for being ASA, as far as their side they are a financial house and are unwilling to offer any information to us. I will re-query them but if anyone else has any useful information that would be cool.
Make sure the network definitions (ie subnet masks) for your encryption domain and that of the Check Point gateway match exactly. If they are not defined the same, Check Point will often fail phase 2 for outbound traffic, while inbound traffic at the CP gateway will work fine.
Just wanted to reiterate this...key word here is *exactly*. We tried this last week and found out that if the Checkpoint is set to summarize some subets (for example 192.168.0.0/23) and the ASA is set for 192.168.0.0/24 and 192.168.1.0/24, the tunnel will come up and work for a couple hours before dropping and not coming back. Having them exactly the same on both ends fixed everything.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...