Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Concentrator 3005 IPSec L2L with Checkpoint 4.X

It seems the I can establish a session with the CP, however, the CP network cannot access the Concentrator network. The Concentrator network has no issues accessing the CP network. I'm fairly sure the issue is encryption domain related... I have read the support document on the subject and followed all suggestions to no avail.. Please help! Here's my log output:

1795 11/26/2002 14:08:14.140 SEV=3 IKE/134 RPT=31 206.xxx.xxx.xxx

Group [206.xxx.xxx.xxx]

Mismatch: Configured LAN-to-LAN proposal differs from negotiated proposal.

Verify local and remote LAN-to-LAN connection lists.

1798 11/26/2002 14:08:14.140 SEV=4 IKE/119 RPT=42 206.xxx.xxx.xxx

Group [206.xxx.xxx.xxx]

PHASE 1 COMPLETED

1799 11/26/2002 14:08:14.140 SEV=4 AUTH/22 RPT=37

User 206.xxx.xxx.xxx connected

1800 11/26/2002 14:08:14.320 SEV=5 IKE/25 RPT=22 206.xxx.xxx.xxx

Group [206.xxx.xxx.xxx]

Received remote Proxy Host data in ID Payload:

Address 206.xxx.xxx.xxx, Protocol 0, Port 0

1803 11/26/2002 14:08:14.320 SEV=5 IKE/34 RPT=135 206.xxx.xxx.xxx

Group [206.xxx.xxx.xxx]

Received local IP Proxy Subnet data in ID Payload:

Address 192.168.1.0, Mask 255.255.255.0, Protocol 0, Port 0

1806 11/26/2002 14:08:14.320 SEV=4 IKE/61 RPT=150 206.xxx.xxx.xxx

Group [206.xxx.xxx.xxx]

Tunnel rejected: Policy not found for Src:206.xxx.xxx.xxx, Dst: 192.168.1.0!

1808 11/26/2002 14:08:14.320 SEV=4 IKEDBG/0 RPT=317

QM FSM error (P2 struct &0x1c355d4, mess id 0x748b1550)!

1809 11/26/2002 14:08:14.320 SEV=4 IKEDBG/0 RPT=318

QM FSM history (P2 struct &0x1c355d4):

[13, 52], [3, 32], [3, 44], [3, 31]

1810 11/26/2002 14:08:14.320 SEV=4 AUTH/23 RPT=34 206.xxx.xxx.xxx

User 206.xxx.xxx.xxx disconnected: duration: 0:00:00

2 REPLIES
Cisco Employee

Re: VPN Concentrator 3005 IPSec L2L with Checkpoint 4.X

Your Local and Remote networks to be encrypted don't match on the CP and the 3000. You can see the messages here:

1795 11/26/2002 14:08:14.140 SEV=3 IKE/134 RPT=31 206.xxx.xxx.xxx

Group [206.xxx.xxx.xxx]

Mismatch: Configured LAN-to-LAN proposal differs from negotiated proposal.

Verify local and remote LAN-to-LAN connection lists.

1806 11/26/2002 14:08:14.320 SEV=4 IKE/61 RPT=150 206.xxx.xxx.xxx

Group [206.xxx.xxx.xxx]

Tunnel rejected: Policy not found for Src:206.xxx.xxx.xxx, Dst: 192.168.1.0!

In fact, going by message 1806 it looks like the CP is not sending it's internal network but is sending it's outside IP address as the address to be encrypted. Within the CP make sure you've told it not to NAT the IPSec traffic, that'll probably get you going.

Try this also: http://www.cisco.com/warp/public/471/cp-3000.html

New Member

Re: VPN Concentrator 3005 IPSec L2L with Checkpoint 4.X

I'm collaboraing on this project with a clients network group... The Cisco is mine, the CP theirs. I thought the issue was related to the network being sent wrong from the CP, but after pouring through the config on both sides, it looked like the networks were defined correctly. This sounds like the silver bullet!!! Thanks!! Now to just convice them to examine their NAT config. Thanks again!!

163
Views
0
Helpful
2
Replies
CreatePlease login to create content