Re: Site to site VPN - PIX to Checkpoint
- From: darren green <darrenfgreen@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 05 Jul 2007 21:58:37 +0100
terrydoc@xxxxx wrote:
On 5 Jul, 18:49, darren green <darrenfgr...@xxxxxxxxxxxxxxxxxxxxxxxx>Hi,
wrote:
terry...@xxxxx wrote:
I am trying to set up a site to site VPN from my PIX to a Checkpoint.Hi,
I am getting the following errors - first error with ISAKMP NAT-T ,
send seccond one without NAT-T...
pixfirewall(config)#
ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:162.145.74.130, dest:95.103.225.196
spt:500 dpt:
500
ISAKMP: drop P2 msg on unauthenticated SA
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (4)...IPSEC(key_engine): request
timer fired:
count = 1,
(identity) local= 95.103.225.196, remote= 162.145.74.130,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 118.1.118.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): deleting SA: src 95.103.225.196, dst 162.145.74.130
ISADB: reaper checking SA 0x3575e7c, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 162.145.74.130/500 not found - peers:0
********************************************************************************
no ISAKMP NAT-T
pixfirewall(config)#
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:162.145.74.130, dest:95.103.225.196
spt:500 dpt:
500
ISAKMP: drop P2 msg on unauthenticated SA
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (4)...
ISAKMP (0): deleting SA: src 95.103.225.196, dst
162.145.74.130IPSEC(key_engine)
: request timer fired: count = 1,
(identity) local= 95.103.225.196, remote= 162.145.74.130,
local_proxy= 192.168.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 118.1.118.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block:src:162.145.74.130, dest:95.103.225.196
spt:500 dpt:
500
ISAKMP: drop P2 msg on unauthenticated SA
ISADB: reaper checking SA 0x3576604, conn_id = 0
ISADB: reaper checking SA 0x3575e7c, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 162.145.74.130/500 not found - peers:0
*********************************************************************************
Here is part of my config:
sysopt connection permit-ipsec
crypto ipsec transform-set mytrans esp-3des esp-sha-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address nonat
crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer 162.145.74.130
crypto map mymap 10 set transform-set mytrans
crypto map mymap interface outside
isakmp enable outside
isakmp key ****** address 162.145.74.130 netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
*********************
TIA, Traol
My first reaction was that you may have a filtering router / firewall in
the middle blocking the setup of the VPN. This is due to you seemingly
attempting to kick off the Phase 1 transmission on 2 x different occasions.
I did a quick google and found a good WWW site that may help.
http://www.boerderie.com/VPNdebugging.html
One of the other items it suggests looking at is routing. Do you have a
path between each endpoint. Your VPN appears to break down early on
(i.e. Phase 1). No communication seems to exist between these peers so
unrelated to Phase 2.
Regards
Darren
Darren, yes I have a router between the ISP connection and my PIX. The
ISP allocates a block of IP addresses to me, my router routes these
into smaller subnets. The PIX outside is one of these subnets. I'm
fairly sure I had a similar setup with another ISP - although using
Cisco VPN client into the PIX rather than site to site. My ISP has
allocated:
my ISP allocates these addresses to meI
P Subnet 95.103.225.192/26
Subnet Mask 255.255.255.192
Gateway 95.103.225.193
Usable IP's 95.103.225.194 to 95.103.225.254
my router has these static routes
ip route 0.0.0.0 0.0.0.0 95.103.225.193
ip route 95.103.225.200 255.255.255.248 95.103.225.195
ip route 95.103.225.208 255.255.255.240 95.103.225.196
ip route 95.103.225.224 255.255.255.240 95.103.225.197
ip route 95.103.225.240 255.255.255.240 95.103.225.198
my PIX outside is 95.103.225.196
This looks OK, however, it would be worthwhile checking the other end.
The 2 x things to clarify here are:
Is there a router or firewall filtering / blocking packets that would
prohibit the setup of the VPN.
Does each end have the correct routing enabled to it's VPN peer.
As your end looks OK, confirm with the Checkpoint end.
I saw a similar issue the other day. At the remote end there was a
router in front of a PIX blocking ESP. On the firewall behind this
router, no VPN formed. On my local PIX all I saw was attempts to build
the Phase 1 association.
I called the remote router admin and he told me they filtered on the
router. When this was modified the VPN came up.
Regards
Darren
.
- Follow-Ups:
- Re: Site to site VPN - PIX to Checkpoint
- From: terrydoc@xxxxx
- Re: Site to site VPN - PIX to Checkpoint
- References:
- Site to site VPN - PIX to Checkpoint
- From: terrydoc@xxxxx
- Re: Site to site VPN - PIX to Checkpoint
- From: darren green
- Re: Site to site VPN - PIX to Checkpoint
- From: terrydoc@xxxxx
- Site to site VPN - PIX to Checkpoint
- Prev by Date: Re: Site to site VPN - PIX to Checkpoint
- Next by Date: Re: Cisco DHCP issue with multi-o/s environment
- Previous by thread: Re: Site to site VPN - PIX to Checkpoint
- Next by thread: Re: Site to site VPN - PIX to Checkpoint
- Index(es):
Relevant Pages
|
