Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN between Cisco and Checkpoint NG

Hi all

i'm using vpn between cisco routeur and checkpoint NG version me i'm in cisco side and there is an other who work with the checkpoint, rigth i'm doing the cisco configuration side as bellow:

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname ALLO-MAROC-INTERNET

!

enable secret xxxxxx

!

username ADMIN password xxxxxx

aaa new-model

!

!

aaa authentication login default local

aaa session-id common

ip subnet-zero

!

!

no ip domain lookup

!

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 1800

crypto isakmp key xxxx address 194.204.xxx.xx

!

!

crypto ipsec transform-set AlloSet esp-3des esp-md5-hmac

!

crypto map AlloMap 1 ipsec-isakmp

set peer 194.204.xxx.xx

set transform-set AlloSet

match address 100

!

!

!

!

interface FastEthernet0

ip address 62.251.xxx.x 255.255.255.240

speed auto

no cdp enable

!

interface Serial0

ip address 62.251.xxx.xx 255.255.255.252

no fair-queue

no cdp enable

crypto map AlloMap

!

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0

no ip http server

no ip http secure-server

!

!

access-list 100 permit ip host 62.251.xxx.x host 10.128.66.11

access-list 100 permit ip host 62.251.xxx.x host 10.128.66.12

access-list 100 permit ip host 62.251.xxx.x host 10.128.66.13

access-list 100 permit ip host 62.251.xxx.x host 10.128.66.11

access-list 100 permit ip host 62.251.xxx.x host 10.128.66.12

access-list 100 permit ip host 62.251.xxx.x host 10.128.66.13

access-list 100 permit ip host 62.251.xxx.x host 10.128.66.11

access-list 100 permit ip host 62.251.xxx.x host 10.128.66.12

access-list 100 permit ip host 62.251.xxx.x host 10.128.66.13

access-list 100 permit ip host 62.251.xxx.x host 10.128.66.11

access-list 100 permit ip host 62.251.xxx.x host 10.128.66.12

access-list 100 permit ip host 62.251.xxx.x host 10.128.66.13

no cdp run

!

radius-server authorization permit missing Service-Type

!

line con 0

line aux 0

line vty 0 4

!

no scheduler allocate

!

end

i send him all parametres that he need for doing the configuration from his side and i don't know if its all ok or no but i know that the checkpoint has an private address on his outside interface and there is an translation on an router between it and internet

so when i try to ping an machine on the checkpoint side and debuging the isakmp i have this log:

*Mar 1 02:08:13.707: ISAKMP: received ke message (1/1)

*Mar 1 02:08:13.707: ISAKMP (0:0): SA request profile is (NULL)

*Mar 1 02:08:13.707: ISAKMP: local port 500, remote port 500

*Mar 1 02:08:13.707: ISAKMP: set new node 0 to QM_IDLE

*Mar 1 02:08:13.707: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 81E3FDDC

*Mar 1 02:08:13.707: ISAKMP (0:69): Can not start Aggressive mode, trying Main mode.

*Mar 1 02:08:13.711: ISAKMP: Looking for a matching key for 194.204.xxx.xx in default : success

*Mar 1 02:08:13.711: ISAKMP (0:69): found peer pre-shared key matching 194.204.xxx.xx

*Mar 1 02:08:13.711: ISAKMP (0:69): constructed NAT-T vendor-03 ID

*Mar 1 02:08:13.711: ISAKMP (0:69): constructed NAT-T vendor-02 ID

*Mar 1 02:08:13.711: ISAKMP (0:69): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

*Mar 1 02:08:13.711: ISAKMP (0:69): Old State = IKE_READY New State = IKE_I_MM1

*Mar 1 02:08:13.711: ISAKMP (0:69): beginning Main Mode exchange

*Mar 1 02:08:13.711: ISAKMP (0:69): sending packet to 194.204.xxx.xx my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 1 02:08:23.711: ISAKMP (0:69): retransmitting phase 1 MM_NO_STATE...

*Mar 1 02:08:23.711: ISAKMP (0:69): incrementing error counter on sa: retransmit phase 1

*Mar 1 02:08:23.711: ISAKMP (0:69): retransmitting phase 1 MM_NO_STATE

*Mar 1 02:08:23.711: ISAKMP (0:69): sending packet to 194.204.xxx.xx my_port 500 peer_port 500 (I) MM_NO_STATE

*Mar 1 02:08:33.711: ISAKMP (0:69): retransmitting phase 1 MM_NO_STATE...

*Mar 1 02:08:33.711: ISAKMP (0:69): incrementing error counter on sa: retransmit phase 1

*Mar 1 02:08:33.711: ISAKMP (0:69): retransmitting phase 1 MM_NO_STATE

*Mar 1 02:08:33.711: ISAKMP (0:69): sending packet to 194.204.xxx.xx my_port 500 peer_port 500 (I) MM_NO_STATE

so as you see the 1st phase of ike still loop and i don't know why!

plese give me more help

regards

4 REPLIES
Bronze

Re: VPN between Cisco and Checkpoint NG

Take a look at the following URL as it shows the configuration steps for router to Checkpoint NG. http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b4b40.shtml

New Member

Re: VPN between Cisco and Checkpoint NG

I know this document and my configuration is true but there is some thing that i don't know at the checkpoint side i think there is some access-list and the gay don't remember them

please if you can help me for the debug output message because the cisco configuration side is ok

regards

New Member

Re: VPN between Cisco and Checkpoint NG

The Access-List on your Side and the Encryption Domain on the CP-side have to be identical.

Ask the CP Admin what the Encryption Domain on the CP Side looks like.

It must match exactly.

What you can do, is to change your ACL to:

access-list 100 permit ip host 62.251.x.x 10.128.66.0 0.0.0.255.

On the CP side: Is your Gateway asscociated with the corresponding VPN definition? can you check this?

New Member

Re: VPN between Cisco and Checkpoint NG

Hi ailmer

for the access-list there are same because CP side allow just the one host for testing (me i allow four hosts)

but i don't know what do you wan explain with the encryption domain on checkpoint!!

if you have any documents about this please send it to me selmrabet@cbi.ma

Regards

149
Views
0
Helpful
4
Replies
CreatePlease login to create content