Site to site VPN - PIX to Checkpoint

I am trying to set up a site to site VPN from my PIX to a Checkpoint. I am getting the following errors - first error with ISAKMP NAT-T , send seccond one without NAT-T...

pixfirewall(config)# ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3 ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block:src:162.145.74.130, dest:95.103.225.196 spt:500 dpt:

500 ISAKMP: drop P2 msg on unauthenticated SA

ISAKMP (0): retransmitting phase 1 (0)... ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request timer fired: count = 1, (identity) local= 95.103.225.196, remote= 162.145.74.130, local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 118.1.118.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): deleting SA: src 95.103.225.196, dst 162.145.74.130 ISADB: reaper checking SA 0x3575e7c, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 162.145.74.130/500 not found - peers:0

******************************************************************************** no ISAKMP NAT-T

pixfirewall(config)# ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block:src:162.145.74.130, dest:95.103.225.196 spt:500 dpt:

500 ISAKMP: drop P2 msg on unauthenticated SA

ISAKMP (0): retransmitting phase 1 (0)... ISAKMP (0): retransmitting phase 1 (4)... ISAKMP (0): deleting SA: src 95.103.225.196, dst

162.145.74.130IPSEC(key_engine) : request timer fired: count = 1, (identity) local= 95.103.225.196, remote= 162.145.74.130, local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), remote_proxy= 118.1.118.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): beginning Main Mode exchange crypto_isakmp_process_block:src:162.145.74.130, dest:95.103.225.196 spt:500 dpt:

500 ISAKMP: drop P2 msg on unauthenticated SA

ISADB: reaper checking SA 0x3576604, conn_id = 0 ISADB: reaper checking SA 0x3575e7c, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 162.145.74.130/500 not found - peers:0

********************************************************************************* Here is part of my config: sysopt connection permit-ipsec crypto ipsec transform-set mytrans esp-3des esp-sha-hmac crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address nonat crypto map mymap 10 set pfs group2 crypto map mymap 10 set peer 162.145.74.130 crypto map mymap 10 set transform-set mytrans crypto map mymap interface outside isakmp enable outside isakmp key ****** address 162.145.74.130 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 ********************* TIA, Traol
Reply to
terrydoc
Loading thread data ...

********************************************************************************
*********************************************************************************

Hi,

My first reaction was that you may have a filtering router / firewall in the middle blocking the setup of the VPN. This is due to you seemingly attempting to kick off the Phase 1 transmission on 2 x different occasions.

I did a quick google and found a good WWW site that may help.

formatting link
One of the other items it suggests looking at is routing. Do you have a path between each endpoint. Your VPN appears to break down early on (i.e. Phase 1). No communication seems to exist between these peers so unrelated to Phase 2.

Regards

Darren

Reply to
darren green

********************************************************************************
*********************************************************************************

Darren, yes I have a router between the ISP connection and my PIX. The ISP allocates a block of IP addresses to me, my router routes these into smaller subnets. The PIX outside is one of these subnets. I'm fairly sure I had a similar setup with another ISP - although using Cisco VPN client into the PIX rather than site to site. My ISP has allocated: my ISP allocates these addresses to meI P Subnet 95.103.225.192/26 Subnet Mask 255.255.255.192 Gateway 95.103.225.193 Usable IP's 95.103.225.194 to 95.103.225.254 my router has these static routes ip route 0.0.0.0 0.0.0.0 95.103.225.193 ip route 95.103.225.200 255.255.255.248 95.103.225.195 ip route 95.103.225.208 255.255.255.240 95.103.225.196 ip route 95.103.225.224 255.255.255.240 95.103.225.197 ip route 95.103.225.240 255.255.255.240 95.103.225.198 my PIX outside is 95.103.225.196

Reply to
terrydoc

********************************************************************************
*********************************************************************************

Hi,

This looks OK, however, it would be worthwhile checking the other end. The 2 x things to clarify here are:

Is there a router or firewall filtering / blocking packets that would prohibit the setup of the VPN.

Does each end have the correct routing enabled to it's VPN peer.

As your end looks OK, confirm with the Checkpoint end.

I saw a similar issue the other day. At the remote end there was a router in front of a PIX blocking ESP. On the firewall behind this router, no VPN formed. On my local PIX all I saw was attempts to build the Phase 1 association.

I called the remote router admin and he told me they filtered on the router. When this was modified the VPN came up.

Regards

Darren

Reply to
darren green

********************************************************************************
*********************************************************************************
****************** Made some progress...I can Tunnel into the Checkpoint form my side (the PIX). But when they try to come in from the Checkpoint side I get... (key eng. msg.) dest= 162.145.74.130, src= 95.103.225.196, dest_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), src_proxy= 162.145.74.130/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24 IPSEC(validate_transform_proposal): proxy identities not supported IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 162.145.74.130, src= 95.103.225.196, dest_proxy= 162.145.74.130/255.255.255.255/0/0 (type=1), src_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-3des esp-md5-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x24 IPSEC(validate_transform_proposal): proxy identities not supported

To me it appears that the CP is sending their FW outside address (probably NATting) rather than the inside LAN - does this make sense?

Reply to
terrydoc

********=AD*****
********=AD******

de quoted text -

Hi,

An error showing Proxy identities not supported would indicate the network lists at either side are not identical.

Again I had this when building a VPN to a checkpoint recently. I was doing a public to public VPN using 2 x host addresses. The Checkpoint instead of sending a /32 address for some reason sent the wrong mask. I believe it was a /30.

In my pix config I had specified a mask of /32 and the Checkpoint Admin assured me that this was the case at their end - It wasn't. The networ's being protected need to be a mirror image of each other.

Speak to the Checkpoint Admin again and ask them to confirm.

Regards

Darren

Reply to
darrenfgreen

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.