I've seen this error many times. What you need to do is make sure that the checkpoint does NOT suppernet the encryption domain on the checkpoint side. If that happens, you will ALWAYS get a Quick mode error, or in Cisco word, "proxy id" error.
Do the following on the Checkpoint side: 1) Close the smartdashboard, 2) use Gui dbedit to edit this parameter: "ike_use_largest_possible_subnet". The default is "true". Change it to "false". 3) Save it before exiting gui dbedit. 4) Push the policy. 5) run "vpn tu" and clear out the tunnel. 6) initiate the traffic again. you should be good to go. It used to be that in NG Feature Pack 3, you have to modify the user.def file to put in individual networks behind the checkpoint that participate in the vpn process. However, it is NOT needed in NG-AI (I tested it NG with AI R55W with hfa-02). What happened here is that Checkpoint is suppernetting its encryption domain. Other VPNs device such as Cisco IOS, Pix, and VPN Concentrator don't like it. If you're not familiar with gui dbedit, then change the encryption domain on the VPN concentrator to accept a larger CIDR blocks to match with what it is receiving from Checkpoint and it will work too. My personal preference is to modify the "ike_use_largest_possible_subnet" parameter from "true" to "false". Let me know if it is working for you. cisco4ng CCNP, CCSE-NG, CCSE-Plus 4 times FAILED CCIE security lab and still trying LAN Guy <[EMAIL PROTECTED]> wrote: I'm setting up an IPSEC VPN between my NG-AI R54 gateway and a partner's Cisco VPN 3000 Concentrator. Everything looks like it's set up properly (same IKE parameters, shared secret, etc), but every time I try to ping from my net to the partner net over the tunnel it fails with the same 3 log entries: ------------- #1 Action: Key Install Source: [my gateway] Destination: [partner gateweay] Encryption Scheme: IKE VPN Peer Gateway: [partner gateweay] IKE Initiator Cookie: 54b2334ee5635973 IKE Responder Cookie: baa23cf0ae5b945d Encryption Methods: 3DES + MD5, Pre shared secrets Community: [vpn community for this partner] Information: IKE: Main Mode completion. ------------ #2 Action: Key Install Source: [my gateway] Destination: [partner gateweay] Encryption Scheme: IKE VPN Peer Gateway: [partner gateway] IKE Phase2 Message ID: 06094fba Community: [vpn community for this partner] Information: IKE: Quick Mode Sent Notification: invalid id information ------------ #3 Action: Key Install Source: [partner gateway] Destination: [my gateway] Encryption Scheme: IKE VPN Peer Gateway: [partner gateway] IKE Phase2 Message ID: 31604fab Community: [vpn community for this partner] Exchange Received Delete IPSEC-SA from Peer: 0c69e9ed SPIs: 61e6bdf7 Then the traffic fails because there is no valid SA. Has anyone had some similar experience with this type of setup and knows the particulars?? All help appreciated. Frank P. _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar � get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
