Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec Tunnel between VPN 3000 & Check point firewall

Hi ,

I have established tunnel between VPN Concentrator & check point.

After few hours its gets disconnected & then it takes lot of time to get connect ted.

I am getting continiously the following message...

IKE Initiator: New Phase 1, Intf 2, IKE Peer 214.x.x.x

local Proxy Address 192.x.x.x , remote Proxy Address 214.x.x.x,

SA (L2L: Checkpoint)

-------------------------------

I am using DES-56

Is there anything that i need to check ?

Thanks ....Rajneel

5 REPLIES
New Member

Re: IPSec Tunnel between VPN 3000 & Check point firewall

Rajneel,

Make sure that your ipsec/isakmp lifetimes match on the concentrator with the checkpoint. The checkpoints default lifetimes is 7 days which the concentrator can't go that high, max is 1 day. Change the checkpoint to match whats configured on the concentrator. Hope this helps.

Kurtis Durrett

New Member

Re: IPSec Tunnel between VPN 3000 & Check point firewall

Thanks ..Kurtis ...

I will check that. What should be that Encryption / IKE Proposals settings on both the devices ?

New Member

Re: IPSec Tunnel between VPN 3000 & Check point firewall

Des or 3des, depending on your security policies. The sa lifetimes would also be determined by your security policies, some people like them to be short. But the max on the concentrator is 24 hours or 86400 seconds which is fine with most configurations.

Kurtis Durrett

New Member

Re: IPSec Tunnel between VPN 3000 & Check point firewall

Hi Kurtis ,

I am getting the following error on checkpoint

"IKE: Main Mode Sent Notification: no proposal chosen"

Regards ....Rajneel

New Member

Re: IPSec Tunnel between VPN 3000 & Check point firewall

Rajneel,

Which means something is not matching between the 2 devices. I've seen configurations with the concentrator that allows connections to it because it will try to match it up with one of its many active proposals allowing connections to it. But without checking this out, im much more familiar with the 3000 than the checkpoint, its hard for me to tell.

Have you followed this link:

http://www.cisco.com/warp/public/471/cp-3000.html

Kurtis Durrett

154
Views
0
Helpful
5
Replies
CreatePlease to create content