Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
282
Views
0
Helpful
1
Replies

Cisco 867 Sec site to site VPN to checkpoint

davidfield
Level 3
Level 3

‎09-26-2014 09:51 AM

Hello All,

 

Can anyone point me at what I'm doing wrong. Am I making this more complex than I should? VPn's aren't my strong point

 

I have been provided the following from a 3rd party for the remote site

IP, Key, DiffHell - Group2,

phase 1      3Des, Sha1

phase 2      3Des, Sha1

 

My 867 config is as follows and cant get the tunnel up.

I need to route a class C up the VPN 

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key VPNTUNNELKEY address x.x.x.x
!
crypto isakmp client configuration group VPN_GROUP
 key aaaaaaaaaa
 dns 8.8.8.8
 domain T.local
 pool VPN_POOL
 acl 101
 split-dns T.local
 netmask 255.255.255.0
crypto isakmp profile ike-profile-1
   match identity group VPN_GROUP
   client authentication list vpn_xuth_ml_1
   isakmp authorization list vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile ike-profile-1

interface Virtual-Template2 type tunnel
 ip unnumbered Dialer0
 tunnel source Dialer0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile Profile1

 


interface Dialer0
 ip ddns update hostname horshamrtb.dyndns-remote.com
 ip ddns update dyndns host members.dyndns.org
 ip address Y.Y.Y.Y 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect CCP_LOW out
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname 12344
 ppp chap password abcde
 no cdp enable

 

R2_DSL#sh int vi
*Sep 26 16:42:38.399: %SYS-5-CONFIG_I: Configured from console by 
HorshamR2_DSL#sh int virtual-tem
HorshamR2_DSL#sh int virtual-template 2
Virtual-Template2 is up, line protocol is down
  Hardware is Virtual Template interface
  Interface is unnumbered. Using address of Dialer0 (217.40.162.193)
  MTU 17940 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source Y.Y.Y.Y (Dialer0)
   Tunnel Subblocks:
      src-track:
         Virtual-Template2 source tracking subblock associated with Dialer0
          Set of tunnels with source Dialer0, 1 member (includes iterators), on interface <OK>
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1500 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "Profile1")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:08:18
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

 

Thanks in advance

Dave

 

 

Labels:
0 Helpful
1 Reply 1

davidfield
Level 3
Level 3

‎09-28-2014 01:09 AM

Anyone with a few pointers?

0 Helpful
Customers Also Viewed These Support Documents