Advertisement

07.07.2008 at 02:05AM PDT, ID: 23542738
[x]
Attachment Details

VPN tunnel not established when trying it between NGX R65 and Cisco PIX

Asked by sizgiyaev in Checkpoint Firewall, Virtual Private Networking (VPN), Cisco PIX Firewall

Tags: Checkpoint NGX R65 and Cisco PIX, Firewall VPN, R65, Nokia IP 390, Firewall, Nokia IP 390, encryption fail reason: Received a cleartext packet within an encrypted connection

Hi
I have Nokia IP 390 an dNGX R65 installed on. Last week i've configured VPN site to site between us and our customer in US , they have CISCO PIX.
VPN configuration:
IKE Phase 1 : AES-256, MD5
IPsec Phase 2 : AES-256, MD5
We are using shared secret for this VPN Community.
Advanced VPN configuration:
IKE Phase 1 : DH group = group 5 (1536 bit)

All configuration the same on other side (on PIX) according customer's IT.

There is three Smartview tracker logs that i see when trying establish the tunnel:

1.
Number:                           446405
Date:                                 6Jul2008
Time:                                14:23:47
Product:                            VPN-1 Power/UTM
Interface:                           eth3c0
Origin:                              XXXXX (The name of our firewall object)
Type:                                Log
Action:                              Encrypt
Protocol:                           udp
Service:                            IKE (500)
Source:                             XXXXX (The name of our firewall object)
Destination:                      XXXXX (The name of customer firewall object)
Rule:                                 4
Current Rule Number:      4-Standard
Source Port:                     IKE
Information:                      service_id: IKE
Community:                      NameOfVPNCommunity
Encryption Methods:         ESP: AES-256 + MD5
Encryption Scheme:         IKE
Rule UID:                          {07736A1B-C94F-4066-A4AB-D875F1EF395F}
SmartDefense Profile:       No Protection
Subproduct:                      VPN
VPN Feature:                    VPN
VPN Peer Gateway:           XXXXX (The name of customer firewall object)
Policy Info:                       Policy Name: Standard
                                         Created at: Sun Jul 06 13:40:19 2008
                                         Installed from: FW_MANAGER

2.
Number:                           446906
Date:                                6Jul2008
Time:                                14:24:51
Product:                           VPN-1 Power/UTM
Interface:                          eth3c0
Origin:                              XXXXX (The name of our firewall object)
Type:                                Log
Action:                             Drop
Protocol:                          udp
Service:                            IKE (500)
Source:                            XXXXX (The name of our firewall object)
Destination:                      XXXXX (The name of customer firewall object)
Source Port:                     IKE
Information:                     encryption fail reason: Received a cleartext packet within an encrypted connection
SmartDefense Profile:      No Protection
Policy Info:                       Policy Name: Standard
                                        Created at: Sun Jul 06 19:18:29 2008
                                        Installed from: FW_MANAGER

3.
Number:                           447034
Date:                                6Jul2008
Time:                                14:25:03
Product:                           VPN-1 Power/UTM
Interface:                          eth3c0
Origin:                              XXXXX (The name of our firewall object)
Type:                                Log
Action:                             Drop
Protocol:                          udp
Service:                            IKE (500)
Source:                            XXXXX (The name of our firewall object)
Destination:                      XXXXX (The name of customer firewall object)
Source Port:                     IKE
Information:                     encryption fail reason: Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information
SmartDefense Profile:      No Protection
Policy Info:                       Policy Name: Standard
                                        Created at: Sun Jul 06 19:18:29 2008
                                        Installed from: FW_MANAGER

eth3c0 - this the external interface of our box.
The external IP address of our firewall object is configured properly (that might the problem for cleartext through encrypted connection), so that not a problem.

Any idea?

Thanks in advaceStart Free Trial
 
Keywords: VPN tunnel not established when tryin…
Title
1 Pix to Pix VPN
2 adding 2nd VPN to PIX
3 PIX AND ISA IPSEC VPN
4 Remote access to a Pix from a Pix prot…
5 PIX
6 pix VPN
 
Loading Advertisement...
 
[+][-]07.07.2008 at 02:09AM PDT, ID: 21943518

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.07.2008 at 02:36AM PDT, ID: 21943616

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.07.2008 at 02:45AM PDT, ID: 21943641

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.07.2008 at 03:07AM PDT, ID: 21943717

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.07.2008 at 03:18AM PDT, ID: 21943773

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]07.07.2008 at 03:41AM PDT, ID: 21943859

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]07.07.2008 at 02:30PM PDT, ID: 21948854

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Checkpoint Firewall, Virtual Private Networking (VPN), Cisco PIX Firewall
Tags: Checkpoint NGX R65 and Cisco PIX, Firewall VPN, R65, Nokia IP 390, Firewall, Nokia IP 390, encryption fail reason: Received a cleartext packet within an encrypted connection
Sign Up Now!
Solution Provided By: sizgiyaev
Participating Experts: 2
Solution Grade: A
 
 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628