Thanks. I'll give it a try.
BTW, the pix side is a telco.
Cezar
cisco4ng wrote:
suppernetting is not an issue in this case because both sides are using /24
network.
So I don't think this is an issue.
You didn't say what version of 7.x is running on the Pix? 7.0, 7.1 or 7.2(1) or 7.2(2).
Do you also have remote access vpn configure on the Pix as well?
It is likely that the answer will be on the pix side. Generally the configuration on the pix
will be like this:
access-list nonat permit ip Pix_side/24 CP_side/24
access-list 101 permit ip Pix_side/24 CP_side/24
nat (inside) 0 access-list nonat
isakmp identity address
isakmp enable outside
isakmp key your-key address CP_external_IP no-xauth no-config (this is L2L
VPN)
isakmp policy 1 authe pre-share
isakmp policy 1 encr 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isamkp policy 1 lifetime 86400
crypto ipsec trans 3des esp-3des esp-md5-hmac
crypto map cmap 10 ipsec-isakmp
crypto map cmap 10 set peer CP_external_IP
crypto map cmap 10 set trans 3des
crypto map cmap 10 set security-association lifetime seconds 3600
crypto map cmap 10 match address 101
crypto map cmap interface outside
Remember these commands work for both Pix 6.x and 7.x. However, when you do a
show run on 7.x, you will see the output a little differently due to new code
in 7.x.
Enter this into the Pix configuration and try again. On the CP side, run "vpn debug iketrunc"
and initiate traffic from either side. After that that transfer the file
$FWDIR/log/ike.elg and
view it IKEView.exe that I sent you to see what wrong. You can also do
"debug crypto
isakmp 7" and "debug crypto ipsec 7" and see what wrong on the Cisco pix side.
Good luck
czar <[EMAIL PROTECTED]> wrote:
Hi All,
I'm falling into the same trap/experience as what others (and someone
more recent) have/are experiencing in establishing a successful vpn
setup between r55 (hfa18) and pix (latest version 7).
I have already have a working vpn between r55 and freeswan on debian
(sarge). But with pix, no success - No valid SA issue.
I've followed the suggestions (researching as well the archive of this
mailing list) except changing "supernetting via dbedit".
Anyway, here's the current setup.
Working: vpn r55 to freeswan (our internal net address xxx/24 - external
(freeswan side internal network - 192.168.177.0/24). Using 3des/md5.
New (not working): vpn r55 to pix (our internal net address is same -
external (not owned by us) pix side internal network is
192.168.88.0/24). Using 3des/md5. Time settings are the same. Could not
get past "No valid SA".
Looks like I have to change the supernetting? Any ideas?
Also can anyone please provide me a copy of ikeview.exe (CP is not
making it publicly available except if you're CSP).
Any ideas how to resolve/troubleshoot this?
Many thanks.
Cezar
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
---------------------------------
Ahhh...imagining that irresistible "new car" smell?
Check outnew cars at Yahoo! Autos.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
