[FW-1] FW: Re: [FW-1] NG to Cisco 3000 VPN Problem

Tue, 15 Mar 2005 13:51:12 -0800 

Thanks for the advice.  Weird part is (as I just discovered), the partner
site on the Cisco 3000 side has no problem tunneling through to my network
but I can't get to his.  Same issue?


Frank

From: cisco4ng <[EMAIL PROTECTED]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] NG to Cisco 3000 VPN Problem
Date: Tue, 15 Mar 2005 11:16:08 -0800

I've seen this error many times.  What you need to do is make sure that the
checkpoint
does NOT suppernet the encryption domain on the checkpoint side.  If that
happens,
you will ALWAYS get a Quick mode error, or in Cisco word, "proxy id" error.

Do the following on the Checkpoint side:

1) Close the smartdashboard,
2) use Gui dbedit to edit this parameter:
"ike_use_largest_possible_subnet".  The default
is "true".  Change it to "false".
3) Save it before exiting gui dbedit.
4) Push the policy.
5) run "vpn tu" and clear out the tunnel.
6) initiate the traffic again.  you should be good to go.

It used to be that in NG Feature Pack 3, you have to modify the user.def
file to put in
individual networks behind the checkpoint that participate in the vpn
process.  However,
it is NOT needed in NG-AI (I tested it NG with AI R55W with hfa-02).

What happened here is that Checkpoint is suppernetting its encryption
domain.  Other
VPNs device such as Cisco IOS, Pix, and VPN Concentrator don't like it.

If you're not familiar with gui dbedit, then change the encryption domain
on the VPN
concentrator to accept a larger CIDR blocks to match with what it is
receiving from Checkpoint
and it will work too.  My personal preference is to modify the
"ike_use_largest_possible_subnet" parameter from "true" to "false".

Let me know if it is working for you.

cisco4ng
CCNP, CCSE-NG, CCSE-Plus
4 times FAILED CCIE security lab and still trying



LAN Guy <[EMAIL PROTECTED]> wrote:
I'm setting up an IPSEC VPN between my NG-AI R54 gateway and a partner's
Cisco VPN 3000 Concentrator. Everything looks like it's set up properly
(same IKE parameters, shared secret, etc), but every time I try to ping
from
my net to the partner net over the tunnel it fails with the same 3 log
entries:

-------------
#1

Action: Key Install
Source: [my gateway]
Destination: [partner gateweay]
Encryption Scheme: IKE
VPN Peer Gateway: [partner gateweay]
IKE Initiator Cookie: 54b2334ee5635973
IKE Responder Cookie: baa23cf0ae5b945d
Encryption Methods: 3DES + MD5, Pre shared secrets
Community: [vpn community for this partner]
Information: IKE: Main Mode completion.

------------
#2

Action: Key Install
Source: [my gateway]
Destination: [partner gateweay]
Encryption Scheme: IKE
VPN Peer Gateway: [partner gateway]
IKE Phase2 Message ID: 06094fba
Community: [vpn community for this partner]
Information: IKE: Quick Mode Sent Notification: invalid
id information

------------
#3

Action: Key Install
Source: [partner gateway]
Destination: [my gateway]
Encryption Scheme: IKE
VPN Peer Gateway: [partner gateway]
IKE Phase2 Message ID: 31604fab
Community: [vpn community for this partner]
Exchange Received Delete IPSEC-SA from Peer: 0c69e9ed
SPIs: 61e6bdf7

Then the traffic fails because there is no valid SA.

Has anyone had some similar experience with this type of setup and knows
the
particulars??
All help appreciated.

Frank P.

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar � get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================


_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to