R62 -cisco VPN Concentrator 3000

Miguel Nuno Cardoso Fernandes Ferreira Fri, 30 Jan 2009 11:02:34 -0800

Hello, 

I am configuring a IPSec/LAN-to-LAN VPN between my FW--1 and a Cisco VPN 
Concentrator 3000 after replacing a R60 FW-1 with the tunnel working.


I've created the vpn community with the following specs:

Phase 1 SA Attribute Decode for Transform # 1:   Encryption Alg:Triple-DES (5)  
 Hash Alg:MD5 (1)   Auth Method:Preshared Key (1)   DH Group: Oakley Group 2 
(2)   Life Time:86400 seconds

Phase 2 Triple-DES (3) DH Group:Oakley Group 2 (2)   Life Time:28800 seconds   
HMAC Algorithm:MD5 (1)   Encapsulation:Tunnel (1)

And even after changing the largest ipsec subnets, with the exactly the same 
vpn domain as it was working in the other FW-1 r60, changing the configuration 
to pair of subnets and pair of hosts, we keep getting this errors:

1

Number:                             617913
Date:                                    29Jan2009
Time:                                    8:38:46
Product:                              VPN-1 Power/UTM
VPN Feature:                    IKE
Interface:                           daemon
Origin:                                  firewall
Type:                                    Log
Action:                                 Key Install
Source:                                firewall 
Destination:                      cisco
Encryption Scheme:       IKE
VPN Peer Gateway:      cisco
IKE Initiator Cookie:      bf9b17fdf99df6f6
IKE Responder Cookie: eb795f46dfdff6cf
Encryption Methods:                    3DES + MD5, Pre shared secrets
Community:                      VPN_community
Subproduct:                      VPN
Information:                     IKE: Main Mode completion [UDP].


2

Number:                             617914
Date:                                    29Jan2009
Time:                                    8:38:46
Product:                              VPN-1 Power/UTM
VPN Feature:                                   IKE
Interface:                          daemon
Origin:                                  firewall
Type:                                    Log
Action:                                 Key Install
Source:                                cisco
Destination:                     firewall
Encryption Scheme:                      IKE
VPN Peer Gateway:                      cisco
IKE Phase2 Message ID:               4b54s3dff4b
Subproduct:                     VPN
Information:                                     IKE: Informational Exchange 
Received Delete IKE-SA from Peer: cisco
                                               Cookies: 
fd179bbffdfsd6d699f9-465f79ebsdfcfsf68d22
 

On the cisco side we got some log's that said the phase 1 was complete, 
accpepted the ipsec proposal of the second phase and then delete sa.

Any ideas that could help?

Thank you

Best Regards,
Miguel Ferreira   



Scanned by Check Point Total Security Gateway.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

[FW-1] IPSec/LAN-to-LAN -> R62 -cisco VPN Concentrator 3000

Reply via email to