December 4, 2008 09:44pm pst

1. RobWill 462,142
2. lrmoore 338,728
3. batry_boy 259,729
4. arnold 147,233
5. dpk_wal 113,722
6. mwecom... 80,224
7. Qlemo 63,674
8. ebjers 54,825
9. MrHusy 54,220
10. JFrederic... 45,680
11. Voltz-dk 45,170
12. mkielar 42,800
13. tigermatt 42,675
14. keith_ala... 42,496
15. TechSoEasy 41,389
16. PeteLong 39,110
17. Cyclops3... 37,640
18. SysExpert 35,850
19. trinak96 28,315
20. rsivanandan 27,780
21. RPPreacher 27,450
22. from_exp 26,775
23. rowansmith 24,875
24. 2PiFL 24,725
25. _jesper_ 23,650

1. RobWill 1,615,035
2. lrmoore 1,139,471
3. batry_boy 434,439
4. grblades 217,809
5. dpk_wal 166,722
6. rsivanandan 156,746
7. arnold 149,233
8. TechSoEasy 114,468
9. calvinetter 112,805
10. mwecom... 98,024
11. keith_ala... 97,335
12. MrHusy 87,494
13. PeteLong 81,966
14. Qlemo 79,767
15. tim_holman 75,964
16. Voltz-dk 75,270
17. Cyclops3... 73,585
18. ewtaylor 68,324
19. SysExpert 65,925
20. plemieux72 64,143
21. trinak96 63,165
22. ebjers 59,825
23. nodisco 58,930
24. JFrederic... 56,880
25. blin2000 52,944

10.12.2004 at 11:23AM PDT, ID: 21165503

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

8.2

PIX to Checkpoint VPN not completing phase 2 IKE

Asked by devehf in Virtual Private Networking (VPN)

Tags: ikmp_no_err_no_trans

I can't get a a LAN-LAN VPN tom complete phase 2 IKE.

My side PIX 515E 6.1(2). Their side CheckPoint FW-1 NG FP3 firewall.

xxx.xxx.xxx.xxx = their public IP
yyy.yyy.yyy.yyy = my public IP

I've opened up isakmp on my outside from their network:
access-list 100 permit udp host xxx.xxx.xxx.xxx host yyy.yyy.yyy.yyy eq isakmp
access-list 100 permit esp host xxx.xxx.xxx.xxx host yyy.yyy.yyy.yyy

We've made sure the pre-shared key is correct on both ends.

There is a policy on their end that matches my highest priority policy:
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

I try to ping them and it looks like is completes phase 1 but phase 2 keeps re-trying. I don't see any obvious error in the PIX debug.

ISAKMP (0): beginning Main Mode exchange
crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest yyy.yyy.yyy.yyy
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest yyy.yyy.yyy.yyy
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src xxx.xxx.xxx.xxx, dest yyy.yyy.yyy.yyy
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP: Created a peer node for xxx.xxx.xxx.xxx
ISAKMP (0:0): Need XAUTH
ISAKMP/xauth: request attribute XAUTH_TYPE
ISAKMP/xauth: request attribute XAUTH_USER_NAME
ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
ISAKMP (0:0): initiating peer config to xxx.xxx.xxx.xxx. ID = xxxxxxxxxx (zzzzzzzzzz
)modecfg: sa: qqqqqqqq, new mess id= pppppppp

return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: cou
nt = 1,
(identity) local= yyy.yyy.yyy.yyy, remote= xxx.xxx.xxx.xxx,
local_proxy= 172.21.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.25.9.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 2...
ISAKMP (0): retransmitting phase 2...IPSEC(key_engine): request timer fired: cou
nt = 2,
(identity) local= yyy.yyy.yyy.yyy, remote= xxx.xxx.xxx.xxx,
local_proxy= 172.21.1.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.25.9.0/255.255.255.0/0/0 (type=4)

ISAKMP (0): retransmitting phase 2...

Start Free Trial

Keywords: PIX to Checkpoint VPN not completing p…

	Title
1	PIX<--> Checkpoint <-> PIX
2	VPN PIX and Checkpoint
3	PIX Checkpoint VPN Problem
4	VPN between PIX and Checkpoint
5	PIX
6	Checkpoint vs PIX

Loading Advertisement...

20081112-EE-VQP-43

PIX to Checkpoint VPN not completing phase 2 IKE

Asked by devehf in Virtual Private Networking (VPN)

Tags: ikmp_no_err_no_trans

About this solution