cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
814
Views
0
Helpful
2
Replies

Phase1 failing between Cisco ASA Version 7.0(4) and Checkpoint Checkpoint NGX R65 Software Version 4.2 ?

gerard.glynn
Level 1
Level 1

Hi,

Cannot get VPN to come up at all between a Cisco ASA and Checkpoint. Below are the hardware/software configurations

Checkpoint NGX R65

Model IP560

Software release 4.2 – BUILD106a02

Software version releng 1515 11.18.2209-195037

Configured in a high availability pair

Hardware:   ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz

Cisco Adaptive Security Appliance Software Version 7.0(4)

The Checkpoint Firewall rebooted a week ago (power interruption) and since then we cannot get the VPN to come up at all. This VPN was working fine before for a couple of years, but for whatever reason , it will not come up at all now since the power outage

The 3rd party who look after the Checkpoint have been cooperative and we have exchanged settings, but we cannot see why Phase1 is failing all the time. Never gets past Phase1

The settings on ASA are as follows


ASA# show runn | begin crypto     
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map DYN-CRYPTO_INTERNET 1 set transform-set ESP-AES256-SHA
crypto dynamic-map DYN-CRYPTO_INTERNET 1 set reverse-route
crypto map CRYPTO_MAP_INTERNET 1 match address XXX-VPN-XXXX
crypto map CRYPTO_MAP_INTERNET 1 set peer 3.3.3.3
crypto map CRYPTO_MAP_INTERNET 1 set transform-set ESP-3DES-SHA
crypto map CRYPTO_MAP_INTERNET 1 set security-association lifetime seconds 3600
isakmp identity address
isakmp enable Internet
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption aes-256
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 3600
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 11 authentication pre-share
isakmp policy 11 encryption 3des
isakmp policy 11 hash sha
isakmp policy 11 group 2
isakmp policy 11 lifetime 28800
isakmp policy 14 authentication pre-share
isakmp policy 14 encryption 3des
isakmp policy 14 hash sha
isakmp policy 14 group 2
isakmp policy 14 lifetime 3600
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal  20

tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold infinite
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 10 retry 10
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 ipsec-attributes
pre-shared-key *


ASA# show crypto isakmp sa detail

   Active SA: 6
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 6

1   IKE Peer: X.X.X.X
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : SHA      
    Auth    : preshared       Lifetime: 28800
    Lifetime Remaining: 12820
2   IKE Peer: X.X.X.X
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : aes-256         Hash    : SHA      
    Auth    : preshared       Lifetime: 3600
    Lifetime Remaining: 1120
3   IKE Peer: X.X.X.X
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
    Encrypt : aes-256         Hash    : SHA      
    Auth    : preshared       Lifetime: 3600
    Lifetime Remaining: 1362
4   IKE Peer: X.X.X.X
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : SHA      
    Auth    : preshared       Lifetime: 3600
    Lifetime Remaining: 1692
5   IKE Peer: X.X.X.X
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : aes-256         Hash    : SHA      
    Auth    : preshared       Lifetime: 3600
    Lifetime Remaining: 1847
6   IKE Peer: 3.3.3.3
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2
    Encrypt : aes-256         Hash    : SHA      
    Auth    : preshared       Lifetime: 0

I will attached screen-shots of the Checkpoint VPN settings

2 Replies 2

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

In the configuration, I did not see the cryptomap being applied to any

interface. Can you please try applying it to the internet facing interface

and see if that helps?

crypto map CRYPTO_MAP_INTERNET interface

Hope this helps.

Regards,

NT

Sorry, forgot to include that line in the output. Its there

crypto map CRYPTO_MAP_INTERNET interface Internet

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: