VPN Between Cisco 7100 to Nokia IP 330 with Checkpoint NG

vempati · ‎06-24-2002

Hai,

We are trying to establish a VPN connectivity between Cisco 7100 to Nokia IP 330 running with checkpoint NG. We are using the following parameters

encryption algorithm: DES - Data Encryption Standard (56 bit

keys)

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #1 (768 bit)

lifetime: 600 seconds, no volume limit

Pre-Shared Key: xyz

We have configured both cisco and checkpoint NG we are getting the following error on checkpoint log can any body help us.

error1:

IKE Information Exchange Received Notification from Peer: Responder Lifetime (phase1)

IKE Main Mode completion.

encryption failure:Error occured

IKE:Quick Mode Received Notification from peer:no proposal chosen

error2:

IKE Main Mode completion.

encryption failure:Error occured

IKE:Quick Mode Received Notification from peer:no proposal chosen

encryption failure: Packet is dropped as there is no valid SA

encryption failure:Mismatching PFS option ESP:DES +MD5

Cisco Error Log:

*Jun 24 05:29:00: ISAKMP (0:0): received packet from 191.12.X.Y (N) NEW SA

*Jun 24 05:29:00: ISAKMP: local port 500, remote port 500

*Jun 24 05:29:00: ISAKMP (0:893): processing SA payload. message ID = 0

*Jun 24 05:29:00: ISAKMP (0:893): found peer pre-shared key matching 196.12.48.82

*Jun 24 05:29:00: ISAKMP (0:893): Checking ISAKMP transform 1 against priority 1 policy

*Jun 24 05:29:00: ISAKMP: encryption DES-CBC

*Jun 24 05:29:00: ISAKMP: hash MD5

*Jun 24 05:29:00: ISAKMP: auth pre-share

*Jun 24 05:29:00: ISAKMP: default group 1

*Jun 24 05:29:00: ISAKMP: life type in seconds

*Jun 24 05:29:00: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80

*Jun 24 05:29:00: ISAKMP (0:893): atts are acceptable. Next payload is 0

*Jun 24 05:29:00: ISAKMP (0:893): processing vendor id payload

*Jun 24 05:29:00: ISAKMP (0:893): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Jun 24 05:29:00: ISAKMP (0:893): sending packet to 191.12.x.y (R) MM_SA_SETUP

*Jun 24 05:29:00: ISAKMP (0:893): received packet from 191.12.x.y (R) MM_SA_SETUP

*Jun 24 05:29:00: ISAKMP (0:893): processing KE payload. message ID = 0

*Jun 24 05:29:00: ISAKMP (0:893): processing NONCE payload. message ID = 0

*Jun 24 05:29:00: ISAKMP (0:893): found peer pre-shared key matching 196.12.48.82

*Jun 24 05:29:00: ISAKMP (0:893): SKEYID state generated

*Jun 24 05:29:00: ISAKMP (0:893): sending packet to 191.12.x.y (R) MM_KEY_EXCH

*Jun 24 05:29:01: ISAKMP (0:893): received packet from 191.12.x.y (R) MM_KEY_EXCH

*Jun 24 05:29:01: ISAKMP (0:893): processing ID payload. message ID = 0

*Jun 24 05:29:01: ISAKMP (0:893): processing HASH payload. message ID = 0

*Jun 24 05:29:01: ISAKMP (0:893): SA has been authenticated with 196.12.48.82

*Jun 24 05:29:01: ISAKMP (893): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

*Jun 24 05:29:01: ISAKMP (893): Total payload length: 12

*Jun 24 05:29:01: ISAKMP (0:893): sending packet to 191.12.x.y (R) QM_IDLE

*Jun 24 05:29:01: ISAKMP (0:893): purging node -849031589

*Jun 24 05:29:01: ISAKMP: Sending phase 1 responder lifetime 86400

*Jun 24 05:29:01: ISAKMP (0:893): sending packet to 191.12.x.y (R) QM_IDLE

*Jun 24 05:29:01: ISAKMP (0:893): received packet from 191.12.x.y (R) QM_IDLE

*Jun 24 05:29:01: ISAKMP (0:893): processing HASH payload. message ID = -961779022

*Jun 24 05:29:01: ISAKMP (0:893): processing SA payload. message ID = -961779022

*Jun 24 05:29:01: ISAKMP (0:893): Checking IPSec proposal 1

*Jun 24 05:29:01: ISAKMP: transform 1, ESP_DES

*Jun 24 05:29:01: ISAKMP: attributes in transform:

*Jun 24 05:29:01: ISAKMP: group is 1

*Jun 24 05:29:01: ISAKMP: SA life type in seconds

*Jun 24 05:29:01: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x51 0x80

*Jun 24 05:29:01: ISAKMP: authenticator is HMAC-MD5

*Jun 24 05:29:01: ISAKMP: encaps is 1

*Jun 24 05:29:01: ISAKMP (0:893): atts are acceptable.

*Jun 24 05:29:01: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 211.191.x.1, remote= 191.12.x.y,

local_proxy= 211.191.x.160/255.255.255.224/0/0 (type=4),

remote_proxy= 191.12.x.y/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= esp-des esp-md5-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x14

*Jun 24 05:29:01: IPSEC(validate_transform_proposal): proxy identities not supported

*Jun 24 05:29:01: ISAKMP (0:893): IPSec policy invalidated proposal

*Jun 24 05:29:01: ISAKMP (0:893): phase 2 SA not acceptable!

*Jun 24 05:29:01: ISAKMP (0:893): sending packet to 191.12.x.y (R) QM_IDLE

*Jun 24 05:29:01: ISAKMP (0:893): purging node -1371576863

*Jun 24 05:29:01: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 191.12.x.y

*Jun 24 05:29:01: ISAKMP (0:893): deleting node -961779022 error FALSE reason "IKMP_NO_ERR_NO_TRANS"

Regards

Sreenivas Reddy

paqiu · ‎06-24-2002

According to the debug you uploaded in the email, I found the phase 1 ISAKMP negotiaton is fine : "ISAKMP (0:893): atts are acceptable"

It looks like the phase 2 IPSEC policy between the router and remote peer is mismatch. "IPSec policy invalidated proposal ".

Please check the router configuration for the IPSEC transform set , make sure it is matching in both peers. And also please check the match address access-list in the router , make sure it is matching the remote peer's network list as well.

paqiu · ‎06-24-2002

Hi,

Do further study with your debug, in the phase 2 IPSEC config, there are several mis-matches:

1 Seems the Checkpint end got PFS enabled, but IOS router default is disable PFS, you might turn it off in both end or match PFS group 1 or PFS group 2

2 Proxy identity local type=4 but remote type=1, that means local network using network to network , checkpoint might use host to host tunnel.

Here is the link for PIX to Check point 4.1 , the router should be same as well:

http://www.cisco.com/warp/customer/110/cp-p.html

Hope above information might be helpful to you.

vempati · ‎06-25-2002

hi,

Thanks for your reply, i will check the pfs option on the Checkpoint and disbale the same.

regarding the proxy identity, we want to do host to host tunnel only, and on the Cisco side we configured only one host of the remote checkpoint side machine. We are not using any NAT. Can u suggest any thing more on this.

paqiu · ‎06-25-2002

You can creat the tunnel from one local host to one remote host.

In the router, the match address access-list 101 will be like:

access-list 101 permit ip host x.x.x.x host y.y.y.y

In the checkpoint end, please do the same thing, just from host y.y.y.y to host x.x.x.x

We are doing the sample config for IOS router to checkpoint at this moment, it will be up to the CCO shortly.

vempati · ‎06-25-2002

Hai Paqiu,

We have disabled the PFS on the checkpoint side and created the tunnel from one local host to one remote host. then we are able to connecte to the ftp server located at Checkpoint end. But we are unable to make an ftp connection to the ftp server located at Cisco end. We are using a static NAT on the Checkpoint end. Can u suggest ?

paqiu · ‎06-25-2002

I believe you need to bypass the static NAT on the checkpoint end. Even you are using a Cisco box, you need to bypass the static NAT for the VPN traffic as well.

Otherwise, the VPN traffic going in but the return taffic will be natted and going out to the internet.

vempati · ‎06-25-2002

You mean that to remove the static NAT on the checkpoint side and give the Public IP to that machine and put in DMZ zone and try it out? or

Can we add an entry on the cisco side about the Check point side internal IP to allow for the encryption?

Waiting for your reply.

vempati · ‎06-26-2002

Hai Paqiu,

Thanks for your inputs now the VPN Tunnel is up and running with Static NAT on Checkpoint side.

paqiu · ‎06-26-2002

In Cisco PIX, there is a command nat (inside) 0 access-list 101 to bypass the nat translation for VPN traffic.

See following example:

http://www.cisco.com/warp/customer/110/39.html

Hopelly Checkpoint has same function as our PIX as well.