Re: Site to site VPN (Check Point > 2921) fails with "Fail to al

Number-45 · ‎05-03-2012

Hi, I'm trying to configure a VPN between a Check Point firewall (UTM-1, running R75.10) and a 2921 router (15.0(1r)M9).

Here's the relevant config (names and external IP addresses only modified - using 1.1.1.1 for Check Point and 2.2.2.2 for Cisco):

================================================

## vpn phase 2 access list (also used for route map)
access-list 2699 permit ip 192.168.209.16 0.0.0.15 192.168.51.128 0.0.0.127

## nat route map
route-map R1 permit 2699
match ip address 2699

## phase 1 details
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 86400

## psk
crypto isakmp key ............... address 1.1.1.1 no-xauth

## phase 2 transform set
crypto ipsec transform-set AES-256 esp-aes 256 esp-sha-hmac

## phase 2 details
crypto map VPN 2699 ipsec-isakmp
set peer 1.1.1.1
set pfs group2
set transform-set AES-256
set security-association lifetime seconds 3600
match address 2699

## nat definitions
ip nat inside source static 10.231.70.250 192.168.209.17 route-map R1 reversible
ip nat inside source static 10.231.10.1 192.168.209.18 route-map R1 reversible
ip nat inside source static 10.231.10.10 192.168.209.19 route-map R1 reversible

================================================

Phase 1 appears to complete without issue, however at phase two it fails with "Fail to allocate ip address" (full debug attached). Everything I've read suggests that this issue relates to client based VPN, where the Cisco router cannot assign other related attributes to the requesting client (DNS server etc.) but obviously that isn't relevant in this case. Can anyone shed any light on why the router might think it's a client connection and how to stop it?

While I'm troubleshooting this issue currently with a Check Point VPN we've noticed the issue appear on other VPNs (to Cisco 880 routers), and the problem seems to solve itself (which obviously doesn't help in finding the cause of the problem!).

david.tran · ‎05-03-2012

I've done IPSec between Checkpoint and Cisco IOS many times without any issues; however, in many of my configurations, the IOS is always 12.4(24)T or lower. I've never used IOS 15.x for IPSec site-2-site vpn before so this may be either "new" or a "bug". I would suggest you tried the following if it is allowed in IOS 15.x:

crypto isakmp key ............... address 1.1.1.1 no-xauth no-config-mode

Number-45 · ‎05-03-2012

Thanks, unfortunately the "no-config-mode" doesn't seem to have survived in the new IOS version.

As you say this isn't something I would usually expect to have issues with. My only slight concern is that I've done something wrong with the NAT, but it seems to be OK (and "show ip nat trans" shows the correct inside local/global mappings.

EDIT: Looks like you might be on the right track with that though, I'll have to find what the equivalent is in IOS 15.

Number-45 · ‎05-04-2012

I've fixed some issues with the route map configuration (this is part of a larger project, all others are working), so at least I'm now comfortable with the NAT.

Would definitely appreciate it if someone could shine a light on how to replicate the functionality of no-config-mode in IOS15.

Number-45 · ‎05-16-2012

In case anyone is interested, I found the cause of this problem. The engineer that built the client VPN configuration for this device configured it to initiate ip client configuration as well as respond.

Removed the "crypto map mapname client configuration initiate" line from the config and it works.

Site to site VPN (Check Point > 2921) fails with "Fail to allocate ip address"