I have set up a VPN tunnel using pre-shared keys between my ASA5505 and a Checkpoint firewall (another company).
I can initiate the tunnel from my side, but they cannot open it from their side. We get Phase2 failures.
The other company is saying:
"Your ASA is expecting my CheckPoint to negotiate the phase 2 timeouts in both seconds and kilobytes. Enabling kilobyte timeouts is not something that is currently realistically feasible on my side, so I ask that you disable/turn off kilobyte timeouts on your side"
However, I do not have a kilobyte timeout specified in the security association for the tunnel, only a seconds.
Is there a hidden default setting I have to turn off? If so, how do I do this?
Encryption domain (interesting traffics) fail to match. Checkpoint tends to supper net network together, by design,
Phase 2 parameters such as ESP, PFS and seconds timeouts do not match.
Why don't you put in relevance configuration on the ASA and if possible, ask the checkpoint firewall guy to do the following on the firewall:
- output of "uname -a" and "fw ver"
- is this Nokia, Windows or Secureplatform Checkpoint?
- run the following commands on the firewall: "debug ike off", "debug ike trunc" and send you the ike.elg file. That file can be decoded with the IKEView.exe and it will tell you exactly where things are wrong.
Disable/turn OFF kilobytes timeouts is not the solution.
I have an existing VPN tunnel between Pix 8.0.4 and Checkpoint SPLAT NGx R71.30 running without any issues. I would have tested the code 8.4 for you but unfortunately, Pix does not support anything above 8.0.4
If this is the case, then this must be a "new" feature required in 8.4.
You have a few options here:
#1: ask for a fix from Cisco,
#2: downgrade the code from 8.4 to 8.0.4,
#3: change the checkpoint VPN configuration from "simplified mode" to "traditional mode" method. I've not used "traditional mode" method in years but with traditional mode method, it does give you the ability to set the timeout based on the number of bytes.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...