Re: VPN connection between checpoint and cisco

evertondiniz · ‎08-25-2006

do this config on cisco, im trying to establish vpn with checkpoint.

The tunnel its ok, but i don't get return the traffic, i see that packets arrives on my router, but apparently they not returning to source.(198.x and 157.x)

Any ideas??

Regards,

Everton

look config

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

crypto isakmp key vpn address 198.87.xx.xx

crypto isakmp key vpn address 157.238.xx.xx

crypto ipsec transform-set vpn esp-3des esp-sha-hmac

!

crypto map vpn 2 ipsec-isakmp

set peer 198.87.49.254

set peer 157.x.x.130

set transform-set veraz

match address 117

sh ip access-lists

Extended IP access list 117

permit ip host 208.48.xx.xx 198.87.xx.xx 0.0.0.31 (22 matches)

permit ip host 208.48.xx.xx 157.238.xx.xx 0.0.0.31

permit gre host 208.48.xx.xx host 198.87.xx.xx

permit gre host 208.48.xx.xx host 157.238.xx.xx

permit gre host 208.48.xx.xx host 198.87.xx.xx

permit udp host 208.48.xx.xx host 198.87.xx.xx eq isakmp (13 matches)

permit udp host 208.48.xx.xx host 157.238.xx.xx. eq isakmp (13 matches)

permit udp host 208.48.xx.xx host 157.238.xx.xx eq isakmp (196 matches)

permit udp host 208.48.xx.xx host 198.87.xx.xx eq isakmp (208 matches)

permit tcp host 208.48.xx.xx host 198.87.xx.xx eq 500

permit tcp host 208.48.xx.xx host 157.238.xx.xx eq 500

permit tcp host 208.48.xx.xx host 198.87.xx.xx eq 500

permit ip 10.90.0.0 0.0.0.255 host 198.87.xx.xx

permit ip 10.90.1.0 0.0.0.255 host 198.87.xx.xx

permit ip 10.90.2.0 0.0.0.31 host 198.87.xx.xx (8 matches)

permit ip 10.90.2.32 0.0.0.31 host 198.87.xx.xx

permit ip 10.90.2.64 0.0.0.31 host 198.87.xx.xx

permit ip 10.90.3.0 0.0.0.31 host 198.87.xx.xx

permit ip 10.90.3.32 0.0.0.31 host 198.87.xx.xx

permit ip 10.90.3.64 0.0.0.31 host 198.87.xx.xx

permit ip 10.90.0.0 0.0.0.255 host 157.238.xx.xx

permit ip 10.90.1.0 0.0.0.255 host 157.238.xx.xx

permit ip 10.90.2.0 0.0.0.31 host 157.238.xx.xx

permit ip 10.90.2.32 0.0.0.31 host 157.238.xx.xx

permit ip 10.90.2.64 0.0.0.31 host 157.238.xx.xx

permit ip 10.90.3.0 0.0.0.31 host 157.238.xx.xx

permit ip 10.90.3.32 0.0.0.31 host 157.238.xx.xx

permit ip 10.90.3.64 0.0.0.31 host 157.238.xx.xx

permit ip 10.90.0.0 0.0.0.255 198.87.xx.xx 0.0.0.31

permit ip 10.90.1.0 0.0.0.255 198.87.xx.xx 0.0.0.31

permit ip 10.90.2.0 0.0.0.31 198.87.xx.xx 0.0.0.31 (87 matches)

permit ip 10.90.2.32 0.0.0.31 198.87.xx.xx 0.0.0.31

permit ip 10.90.2.64 0.0.0.31 198.87.xx.xx 0.0.0.31

permit ip 10.90.3.0 0.0.0.31 198.87.4xx.xx 0.0.0.31

permit ip 10.90.3.32 0.0.0.31 198.87.xx.xx 0.0.0.31

permit ip 10.90.0.0 0.0.0.255 157.238.xx.xx 0.0.0.31

permit ip 10.90.1.0 0.0.0.255 157.238.xx.xx 0.0.0.31

permit ip 10.90.2.0 0.0.0.31 157.238.xx.xx 0.0.0.31 (27 matches)

permit ip 10.90.2.32 0.0.0.31 157.238.xx.xx 0.0.0.31

permit ip 10.90.2.64 0.0.0.31 157.238.xx.xx 0.0.0.31

permit ip 10.90.3.0 0.0.0.31 157.238.xx.xx 0.0.0.31

permit ip 10.90.3.0 0.0.0.255 157.238.xx.xx 0.0.0.31

#sh crypto isakmp sa

dst src state conn-id slot

157.238.xx.xx208.48.xx.xx MM_NO_STATE 36 0 (deleted)

208.48.xx.xx 157.238.xx.xxQM_IDLE 2 0

198.87.xx.xx 208.48.xx.xx MM_KEY_EXCH 37 0

208.48.xx.xx 198.87.xx.xx QM_IDLE 1 0

MIKE DOUGLAS · ‎08-25-2006

Try 'show crypto ipsec sa'. That should give you the counters for packets encrypted / decrypted.

evertondiniz · ‎08-25-2006

no, i dont see nothing, only 0 pkts.

But, in "sh crypto eng conn ac", i see the pkts

ID Interface IP-Address State

2001 FastEthernet5/0 208.48.xx.xx set

Algorithm Encrypt Decrypt

HMAC_SHA+3DES_56_C 9 0

grant.maynard · ‎08-25-2006

In "show crypto isakmp sa" a healthy state is QM_IDLE, indicating that phase1 has negotiated successfully.

For your two Check point peers (198.87.x.254 & 157.x.185.130) you do not have this, so you have a phase1 problem.

Check isakmp policy and pre-shared keys match.

"debug cry isa" may help.

evertondiniz · ‎08-26-2006

Yes grant, i talk with guy of CP and he said me that tunnel is ok....but we don?t see any traffic. In cisco, i see encrypt process and on CP the guy see too, but i don?t ping any host on the CP side and the CP side don?t ping any host on my side.

I think that this is a rounting problem or firewall rules. i try put a route to the CP side with the next hop=IP CP, but nothing happens too.

I don?t know what more to do.

Thks all.

Fernando_Meza · ‎08-27-2006

Hi .. I am not sure if it was a typo error but your config applies transfor-set 'veraz' to the crypto map .. however you are defining transform-set 'vpn' on the config.

crypto ipsec transform-set vpn esp-3des esp-sha-hmac

!

crypto map vpn 2 ipsec-isakmp

set peer 198.87.49.254

set peer 157.238.185.130

set transform-set veraz

match address 117

I hope it helps .. please rate it if it does !!!

evertondiniz · ‎08-27-2006

Tks Fernando, but the error is not this. In my config the transform-set is the same.

Tks again...

csarafoleanu · ‎09-04-2006

Did you tried something like this?

crypto map vpn local-address "your interface"

crypto map vpn 1 ipsec-isakmp

set peer 198.87.49.254

set transform-set veraz

match address X

crypto map vpn 2 ipsec-isakmp

set peer 157.238.185.130

set transform-set veraz

match address Y

But this is the configuration for 2 tunneling connection. You only need 1 tunnel between 2 routers? If so, why did you set 2 peers on your cisco (asuming that this cisco is one of tunnel endings..)? I am not sure i understand exactly what you want...maybe if you attach some .jpg diagram it will be more clearly... :)

grant.maynard · ‎09-05-2006

To go back to my earlier posting, if "show cry isakmp sa" does not show QM_IDLE for the CheckPoint peers, then you have a phase1 problem.

It is easier to debug on a Cisco than a CheckPoint so I would trust what you see and not what you are told.