Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN between router and checkpoint fw

Hi,

Im having a trouble in establishing vpn tunnel from cisco 1720 router having 12.5(4) ios to checkpoint firewall NG.Im pasting the debug output along with this mail.Teh debug messages shows problems in quick mode.Can anyone help me out.

rypto isakmp policy 5

hash md5

lifetime 86400

encryption des

authentication pre-share

group 2

!

crypto isakmp policy 10

hash md5

encryption des

authentication pre-share

lifetime 3600

crypto isakmp key xxxx address 81.144.129.210

crypto isakmp key xxxx address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set transform1 esp-des esp-md5-hmac

!

crypto dynamic-map laingmap 10

set transform-set transform1

match address 115

!

!

crypto map stlaingmap local-address Dialer1

crypto map stlaingmap 5 ipsec-isakmp

set peer 81.144.129.210

set transform-set transform1

match address 110

crypto map stlaingmap 10 ipsec-isakmp dynamic laingmap

!

!

!

!

interface BRI0

description connected to Internet

bandwidth 68000

no ip address

ip nat outside

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer rotary-group 1

isdn switch-type basic-net3

no cdp enable

crypto map stlaingmap

w3d: ISAKMP (0:1): beginning Main Mode exchange

w3d: ISAKMP (0:1): sending packet to 81.144.129.210 (I) MM_NO_STATE

w3d: ISAKMP (0:1): received packet from 81.144.129.210 (I) MM_NO_STATE

w3d: ISAKMP (0:1): processing SA payload. message ID = 0

w3d: ISAKMP (0:1): found peer pre-shared key matching 81.144.129.210

w3d: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 5 policy

w3d: ISAKMP: encryption DES-CBC

w3d: ISAKMP: hash MD5

w3d: ISAKMP: default group 2

w3d: ISAKMP: auth pre-share

w3d: ISAKMP (0:1): atts are acceptable. Next payload is 0.

w3d: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_I

V4_ADDR

w3d: ISAKMP (0:1): sending packet to 81.144.129.210 (I) MM_SA_SETUP

w3d: ISAKMP (0:1): received packet from 81.144.129.210 (I) MM_SA_SETUP

w3d: ISAKMP (0:1): processing KE payload. message ID = 0

w3d: ISAKMP (0:1): processing NONCE payload. message ID = 0

w3d: ISAKMP (0:1): found peer pre-shared key matching 81.144.129.210

w3d: ISAKMP (0:1): SKEYID state generated

w3d: ISAKMP (1): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

w3d: ISAKMP (1): Total payload length: 12

w3d: ISAKMP (0:1): sending packet to 81.144.129.210 (I) MM_KEY_EXCH

w3d: ISAKMP (0:1): received packet from 81.144.129.210 (I) MM_KEY_EXCH

w3d: ISAKMP (0:1): processing ID payload. message ID = 0

w3d: ISAKMP (0:1): processing HASH payload. message ID = 0

w3d: ISAKMP (0:1): SA has been authenticated with 81.144.129.210

w3d: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 794030509

w3d: ISAKMP (0:1): sending packet to 81.144.129.210 (I) QM_IDLE

w3d: ISAKMP (0:1): received packet from 81.144.129.210 (I) QM_IDLE

w3d: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.

w3d: ISAKMP (0:1): retransmitting due to retransmit phase 1

w3d: ISAKMP (0:1): retransmitting phas.e 1 QM_IDLE ...

w3d: ISAKMP (0:1): received packet from 81.144.129.210 (I) QM_IDLE

w3d: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.

w3d: ISAKMP (0:1): retransmitting due to retransmit phase 1

w3d: ISAKMP (0:1): retransmitting phase 1 QM_IDLE ...

w3d: ISAKMP (0:1): retransmitting phase 1 QM_IDLE ...

w3d: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1

w3d: ISAKMP (0:1): no outgoing phase 1 packet to retransmit. QM_IDLE

w3d: ISAKMP (0:0): received packet from 81.144.129.210 (N) NEW SA

w3d: %CRYPTO-4-IKMP_NO_SA: IKE message from 81.144.129.210 has no SA and is no

an initialization offer...

uccess rate is 0 percent (0/5)

ainc-0014#

w3d: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 794030509 ...

w3d: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

w3d: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

w3d: ISAKMP (0:1): retransmitting phase 2 794030509 QM_IDLE

w3d: ISAKMP (0:1): sending packet to 81.144.129.210 (I) QM_IDLE

w3d: ISAKMP (0:1): retransmitting phase 2 QM_IDLE 794030509 ...

w3d: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

w3d: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 2

w3d: ISAKMP (0:1): retransmitting phase 2 794030509 QM_IDLE

w3d: ISAKMP (0:1): sending packet to 81.144.129.210 (I) QM_IDLE

1 REPLY
Bronze

Re: VPN between router and checkpoint fw

Hi,

Checkpoint side is retransmitting IKE phase 1 packets, and IOS is complaining that it has already replied to it.

double check ur config :

http://www.cisco.com/warp/public/707/ipsec-checkpt.html

Thx

Afaq

135
Views
0
Helpful
1
Replies