Hi Shiroma,
I just run into this kind of problem very recently.
I think you have a supernetting issue. You must have defined subnets that
are consecutive.
If this is the case, by default, fw1 will supernet it automatically. You can
confirm this if at the cisco ends, the ip address is appearing at a higher
subnet, ie you initiated a traffic at a /24 address, it would appear at the
cisco end as something like a /22 address.
First, you can google for user.def +checkpoint or search the CP knowledge
base for the solution.
>From memory, you have to use dbedit to change the behaviour at the
smartcenter server. NB close all fw1 apps.
(run dbedit ? To verify syntax)
dbedit> modify properties firewall_properties
ike_use_largest_possible_subnets false
bbedit> update properties firewall_properties
bbedit> quit --update_all
Then you have to manually edit $FW1/lib/user.def file using plain text
editor ie Notepad. But make a backup copy first.
Then put in your subnets as in following example
------------------------------
#ifndef __user_def__
#define __user_def__
//
// User defined INSPECT code
//
max_subnet_for_range = {
<first_IP_in_range, last_IP_in_the_range; subnet_mask>,
<first_IP_in_range, last_IP_in_the_range; subnet_mask>,
...
<first_IP_in_range, last_IP_in_the_range; subnet_mask>
};
#endif /* __user_def__ */
------------------------------
Save it. Then install the policy.
In the Knowledge base, there are other examples. Check it out.
Good luck.
ta
czar
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]] On Behalf Of Shiroma
Dassanayake
Sent: Monday, 29 June 2009 1:41 PM
To: [email protected]
Subject: [FW-1] site to site VPN failing with Cisco Pix 515 and 505
Hi admins
I have 3 site-site VPNs with three different Cisco models. The site-site
with the ASA 5510 works. However the VPNs with the 515 and the 505 don't
work. To exclude the subnets issue, I have selected "one VPN tunnel per each
pair of hosts" under tunnel management.
The keys are exchanged successfully and main mode completes. However when
traffic is inititiated (in either direction) the packet is dropped as
encryption fails as there is no valid SA. I have seen several references to
this error on SK but none of the suggested workarounds seem to work.
Any ideas??
Regards
Shiroma
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
[email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options, email
[email protected]
=================================================
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
