Hi to all.
We' ve been struggling with a terrific problem for some time.
PROBLEM:
We want to establish a VPN tunnel between a network behind a CISCO3640 IOS version 12.09 and a network behind CP FW 4.1 SP3 (management), IP650 IPSO SP3.3.8 (module).
At first sight, it seems trivial and easy. Alas!
Even though all the conf.s, IP' s, etc. seem to be set correct, (both for the router and the FW), VPN tunnelling can' t be established! The key installations between FW and the router seem O.K. in the logs, but when we try communicating from either any of the network sides to the other, no VPN, no encryption, and in the FW logs, packets accepted (no drop!!!), BUT in the info,
encryption failure: gateway connected to both endpoint scheme: IKE
What' s more strange, even there' s no other alternative accept rule in the FW, communication can be established somehow between these two networks, but without encryption...
All the conf. in the FW is established just as defined in CP' s manual - AKA http://support.checkpoint.com/kb/docs/public/firewall1/4_1/pdf/cisco_ios_vpn.pdf
Are we missing sthg in the Router's conf. or what???
The Router' s conf. is denoted below: (IP' s, crypto map names, etc. are abbreviated...)
Current configuration : 1797 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname HOSTX
!
enable password 7 ..................
!
!
!
!
!
ip subnet-zero
!
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 1
authentication pre-share
group 2
lifetime 3600
crypto isakmp key secretxxx address aa.bb.cc.dd
!
!
crypto ipsec transform-set SET1 esp-des esp-sha-hmac
!
crypto map MAP1 1 ipsec-isakmp
set peer aa.bb.cc.dd
set transform-set SET1
match address 115
!
!
!
!
!
!
interface FastEthernet0/0
ip address ff.ee.tt.hh 255.255.255.0
no ip route-cache
no ip mroute-cache
speed auto
half-duplex
no cdp enable
!
interface Serial1/0
no ip address
shutdown
fair-queue
serial restart-delay 0
no cdp enable
!
interface Serial1/1
ip address ss.ee.rr.ii 255.255.255.0
no ip route-cache
no ip mroute-cache
serial restart-delay 0
no cdp enable
crypto map MAP1
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
interface Serial2/0
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
interface Serial2/1
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
interface Serial2/2
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
interface Serial2/3
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 serial1/1
ip route vv.pp.nn.xx 255.255.255.0 ss.ee.rr.1
ip route aa.bb.cc.0 255.255.255.0 ss.ee.rr.1
no ip http server
!
access-list 115 permit ip ss.ee.rr.0 0.0.0.255 vv.pp.nn.xx 0.0.0.255
access-list 115 permit ip vv.pp.nn.xx 0.0.0.255 ss.ee.rr.0 0.0.0.255
no cdp run
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 ..........?
login
!
end
