I am attempting to set up a site to site VPN with a Checkpoint firewall without much success. My end is a failover pair of PIX 515e firewalls running 6.3(5). Both have a 3DES license. My understanding of failover is the primary has an outside address (nnn.mmm.206.130) and the failover PIX has a different outside address (nnn.mmm.206.136) but assumes the primary address (nnn.mmm.206.130) when it acts as primary. For the VPN peer I would use the primary address nnn.mmm.206.130, correct? After failover the tunnel would come back up on the failover box using the primary address nnn.mmm.206.130 as the peer? Thanks.
Yes, your understanding is correct. Can you post your configuration along with the outputs of "deb cry is" and "deb cry ipsec". The debugs should point us in some direction to troubleshoot and identify the issue.
Thanks! I assume that 10.170.16.0 255.255.252.0, 10.170.20.128 255.255.255.128 and 10.170.21.0 255.255.255.192 know that they need to route the traffic to the pix in order to reach 10.204.128.16 and 89.0.x.x addresses.
Also, is this pix the primary pix. If so, can you do a "clear xlate" and then try bringing up the tunnel and look for debugs.
Thanks. Yes. All the 10.170 networks are legs of our core router. I have verified the static routes to the 10.200.0.0 and 10.204.0.0, etc. networks. I am telnneting to the "primary" inside address so I assume that I am connected to the device that is currently acting as primary. I have performed a clear xlat and tried to open the tunnel again. Does it matter if the crypto map uses 10 as the identifier and the debug references 1? Deb cry ip 10 gives periodic REAPER statements. Neither 1 nor 10 give the expected IPSEC / ISAKMP debug statements. Perhaps I am not directing them correctly?Thanks.
Interesting you are not seeing any debugs. Couple of things I would do.
1. Can you console into the pix and look for debugs.
2. If you telnet to the pix, make sure that you are the only one logged on to the pix. Because crypto debugs can only be logged on to one terminal, so if there is someone else also telnetted or SSHed into the pix, you most likely will not see the debugs.
3. Dont forget to enable term mon to look at debugs.
4. Also, just type in "deb cry is" and "deb crypto ipsec" for debugs.
5. If you still do not see any debugs, can you remove the crypto map from the outside interface and reapply it.
Thank you for your persistence. I do appreciate it. I removed the crypto map and isakmp statements with clear crypto map and clear isakmp. I then rebuilt the the statements and attempted to debug again. Unfortunately no luck. I'm guessing there is something terribly obvious that I am missing but I can not see what it is. Thanks.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...