Hi All,
First, the pix version was downgraded to v6.3 (from v7.2 - note: cisco
informed the telco engineer there's a problem with this version as
regards vpn). Still no success (albeit using pix config similar to the
one suggested below and "key exchange for subnet" un-ticked at the CP
side ).
Finally, got it to work by changing the pre-shared secret code. The
problem was in the pre-shared secret code. It had in sequence the "#$$"
characters. Changed it to something else and it worked. Either SPLAT or
pix or both cannot handle these chars in sequence (maybe a reserved char).
Thanks for all your help and replies.
czar
czar wrote:
Thanks. I'll give it a try.
BTW, the pix side is a telco.
Cezar
cisco4ng wrote:
suppernetting is not an issue in this case because both sides are
using /24 network.
So I don't think this is an issue. You didn't say what version
of 7.x is running on the Pix? 7.0, 7.1 or 7.2(1) or 7.2(2).
Do you also have remote access vpn configure on the Pix as well?
It is likely that the answer will be on the pix side. Generally the
configuration on the pix will be like this:
access-list nonat permit ip Pix_side/24 CP_side/24
access-list 101 permit ip Pix_side/24 CP_side/24
nat (inside) 0 access-list nonat
isakmp identity address
isakmp enable outside
isakmp key your-key address CP_external_IP no-xauth no-config (this
is L2L VPN)
isakmp policy 1 authe pre-share
isakmp policy 1 encr 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isamkp policy 1 lifetime 86400
crypto ipsec trans 3des esp-3des esp-md5-hmac
crypto map cmap 10 ipsec-isakmp
crypto map cmap 10 set peer CP_external_IP
crypto map cmap 10 set trans 3des
crypto map cmap 10 set security-association lifetime seconds 3600
crypto map cmap 10 match address 101
crypto map cmap interface outside
Remember these commands work for both Pix 6.x and 7.x. However,
when you do a
show run on 7.x, you will see the output a little differently due to
new code in 7.x.
Enter this into the Pix configuration and try again. On the CP
side, run "vpn debug iketrunc"
and initiate traffic from either side. After that that transfer the
file $FWDIR/log/ike.elg and
view it IKEView.exe that I sent you to see what wrong. You can also
do "debug crypto
isakmp 7" and "debug crypto ipsec 7" and see what wrong on the Cisco
pix side.
Good luck
czar <[EMAIL PROTECTED]> wrote:
Hi All,
I'm falling into the same trap/experience as what others (and someone
more recent) have/are experiencing in establishing a successful vpn
setup between r55 (hfa18) and pix (latest version 7).
I have already have a working vpn between r55 and freeswan on debian
(sarge). But with pix, no success - No valid SA issue.
I've followed the suggestions (researching as well the archive of this
mailing list) except changing "supernetting via dbedit".
Anyway, here's the current setup.
Working: vpn r55 to freeswan (our internal net address xxx/24 -
external (freeswan side internal network - 192.168.177.0/24). Using
3des/md5.
New (not working): vpn r55 to pix (our internal net address is same -
external (not owned by us) pix side internal network is
192.168.88.0/24). Using 3des/md5. Time settings are the same. Could
not get past "No valid SA".
Looks like I have to change the supernetting? Any ideas?
Also can anyone please provide me a copy of ikeview.exe (CP is not
making it publicly available except if you're CSP).
Any ideas how to resolve/troubleshoot this?
Many thanks.
Cezar
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
---------------------------------
Ahhh...imagining that irresistible "new car" smell?
Check outnew cars at Yahoo! Autos.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
