I am also having the same issue - CP AI -> Cisco 3030 VPN concentrator. I
was getting the error "invalid ID". I'm running NG AI, R55. Not only did I
have to make the change to "ike_use_largest_possible_subnet false", but
also had to modify the user.def file before it would work. Connectivity has
been re-established but is flakey.
I am currently getting the following error continuously once connectivity is
broken: IKE: Informational Exchange Received Delete IKE-SA from Peer. The
resolution at the time is to have the Cisco side drop the tunnel and evently
the SA completes and we regain connectivity.
Below is a copy of my user.def file.
#ifndef __user_def__
#define __user_def__
//
// User defined INSPECT code
//
max_subnet_for_range = {
<172.16.2.0, 172.16.2.255; 255.255.255.0>,
<172.16.2.226, 172.16.2.226; 255.255.255.255>,
<172.16.16.0, 172.16.16.255; 255.255.255.0>,
<172.16.16.226, 172.16.16.226; 255.255.255.255>,
<172.16.6.0, 172.16.6.255; 255.255.255.0>,
<172.16.6.226, 172.16.6.226; 255.255.255.255>,
<172.16.8.0, 172.16.8.255; 255.255.255.0>,
<172.16.8.226, 172.16.8.226; 255.255.255.255>
};
#endif /* __user_def__ */
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of cisco4ng
Sent: Tuesday, March 15, 2005 2:16 PM
To: [email protected]
Subject: Re: [FW-1] NG to Cisco 3000 VPN Problem
I've seen this error many times. What you need to do is make sure that the
checkpoint
does NOT suppernet the encryption domain on the checkpoint side. If that
happens,
you will ALWAYS get a Quick mode error, or in Cisco word, "proxy id" error.
Do the following on the Checkpoint side:
1) Close the smartdashboard,
2) use Gui dbedit to edit this parameter:
"ike_use_largest_possible_subnet". The default
is "true". Change it to "false".
3) Save it before exiting gui dbedit.
4) Push the policy.
5) run "vpn tu" and clear out the tunnel.
6) initiate the traffic again. you should be good to go.
It used to be that in NG Feature Pack 3, you have to modify the user.def
file to put in
individual networks behind the checkpoint that participate in the vpn
process. However,
it is NOT needed in NG-AI (I tested it NG with AI R55W with hfa-02).
What happened here is that Checkpoint is suppernetting its encryption
domain. Other
VPNs device such as Cisco IOS, Pix, and VPN Concentrator don't like it.
If you're not familiar with gui dbedit, then change the encryption domain on
the VPN
concentrator to accept a larger CIDR blocks to match with what it is
receiving from Checkpoint
and it will work too. My personal preference is to modify the
"ike_use_largest_possible_subnet" parameter from "true" to "false".
Let me know if it is working for you.
cisco4ng
CCNP, CCSE-NG, CCSE-Plus
4 times FAILED CCIE security lab and still trying
LAN Guy <[EMAIL PROTECTED]> wrote:
I'm setting up an IPSEC VPN between my NG-AI R54 gateway and a partner's
Cisco VPN 3000 Concentrator. Everything looks like it's set up properly
(same IKE parameters, shared secret, etc), but every time I try to ping from
my net to the partner net over the tunnel it fails with the same 3 log
entries:
-------------
#1
Action: Key Install
Source: [my gateway]
Destination: [partner gateweay]
Encryption Scheme: IKE
VPN Peer Gateway: [partner gateweay]
IKE Initiator Cookie: 54b2334ee5635973
IKE Responder Cookie: baa23cf0ae5b945d
Encryption Methods: 3DES + MD5, Pre shared secrets
Community: [vpn community for this partner]
Information: IKE: Main Mode completion.
------------
#2
Action: Key Install
Source: [my gateway]
Destination: [partner gateweay]
Encryption Scheme: IKE
VPN Peer Gateway: [partner gateway]
IKE Phase2 Message ID: 06094fba
Community: [vpn community for this partner]
Information: IKE: Quick Mode Sent Notification: invalid
id information
------------
#3
Action: Key Install
Source: [partner gateway]
Destination: [my gateway]
Encryption Scheme: IKE
VPN Peer Gateway: [partner gateway]
IKE Phase2 Message ID: 31604fab
Community: [vpn community for this partner]
Exchange Received Delete IPSEC-SA from Peer: 0c69e9ed
SPIs: 61e6bdf7
Then the traffic fails because there is no valid SA.
Has anyone had some similar experience with this type of setup and knows the
particulars??
All help appreciated.
Frank P.
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
