10-17-2008 06:44 AM
Configuration Type:
Site-Site VPN between ASA-5510 (version 8) and Checkpoint firewall
I've gotten layer 1 up and running, however, layer 2 is having problems. I've checked over settings 4 times and it all seems correct, my problem seems to be that it is encrypting traffic but not decrypting.
CFIP-5510ASA-Primary# show crypto ipsec sa
interface: outside
Crypto map tag: vpnmap, seq num: 10, local addr: 67.200.39.10
access-list planet2ndfirewall permit ip 10.0.20.0 255.255.255.0 192.168.30.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.30.0/255.255.255.0/0/0)
current_peer: 209.62.74.253
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 67.200.39.10, remote crypto endpt.: 209.62.74.253
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 4BBBF828a
Thanks
10-17-2008 09:27 AM
check for routing of network 10.0.20.0 on the remote side (209.62.74.253 )where the packets are decrypting.
HTH
Saju
Pls arte helpful posts
10-17-2008 12:48 PM
This is what you need to do:
on the checkpoint side:
1- check routing,
2- run "vpn debug ikeoff", "vpn debug trunc", "vpn debug ikeon",
3- fw monitor -e -o pix.cap "accept src==67.200.39.10;"
This will allow to look at how these two devices negotiate with each other via ike.elg
file in step 2 and use wireshark to look at
the pix.cap file. You can see why it is not
working.
Easy right?
10-17-2008 01:24 PM
I hope so, thank you very much for pointing me in the right direction.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide