I'm hoping someone can help me. I'm currently having issues trying to establish an outbound L2L VPN from a Cisco 3000 VPN Concentrator out to a 3rd Party who are using Checkpoint R65 using pre-chared keys.
The outbound connections leave the VPN concentrator, are routed via a CSS 11000 where the real external IP address of the VPN is NAT'd to a public internet address, then on via an external Internet facing Checkpoint running R70 and out to the internet.
We're seeing Phase 1 & 2 come up but nothing after that, certainly the session doesn't come up at UDP-4500 as expected. The session shows Packets Tx incrementing but no Packets RX.
There are 3 possible issues with this I can see but unfortunately I have no idea how to resolve or whether they're red herrings etc etc
1 - Looking on the firewall logs for the outbound traffic I see the initial IKE (UDP-500) packet traverse the firewall with a source of the NAT'd VPN address and a destination of the 3rd Party peer address as expected. Then I see drops on the firewalls from the real IP address of the VPN out to the 3rd Party peer address for esp protocol. The reason for these drops are because for some reason the CSS chooses not to NAT the real src of the VPN and the firewall is set up only for the NAT'd source and 3rd party peer and not the real source. Any ideas why the CSS chooses to NAT the first IKE packet with no issue and then not for the esp packet?
2 - To overcome the issue in point 1, I disabled the NAT on the CSS so that the real IPs were presented to the external firewall and carried out the NATs on there instead. Unfortunately I still experienced the same; Successful Phase 1 & 2, No UDP-4500 and only Packets TX none RX.
3 - Something else...
Software versions of the 3 devices are as follows;
VPN - Cisco Systems, Inc./VPN 3000 Concentrator Version 4.7.2.B Oct 04 2005 02:50:52
CSS - sg0750306s (07.50.3.06s)
Checkpoint - R70 on Nortel ASF
It's worth pointing out that we 99% of L2L builds on this device are working fine but I'm unsure as to what the 3rd Party devices are on these. With this being a 3rd Party connection, I can only vouch for my standard configurations and take the word of the 3rd Party but any advice or suggestions are more than welcome.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :