Solved

PIX Checkpoint VPN Problem

Posted on 2006-11-23
5
1,547 Views
Last Modified: 2013-11-16
hi all,

i am having a strange problem and i have tried doing googling but still not getting any strong answer to overcome the issue.

we have one partner in another country and we are trying to setup VPN Tunnel between us and this partner using PIX 515E and Checkpoint FW NXG on the other side.

configured the Crypto Map and ISAKMP and also with help from lrmoore did the natting and acl. the thing is like this.

Site 1.
crypto ipsec transform-set Partnet2 esp-3des esp-md5-hmac
crypto map transam 20 ipsec-isakmp
crypto map transam 20 match address Partnet2
crypto map transam 20 set peer 192.162.10.92
crypto map transam 20 set transform-set NI
crypto map transam 20 set security-association lifetime seconds 3600 kilobytes 4
crypto map transam interface outside
isakmp enable outside
isakmp key ******** address 192.168.10.92 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10 30
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

access-list Partner2 permit ip host 100.90.72.20 host 172.22.13.25
access-list Partner2 permit ip host 100.90.72.10 host 192.168.7.5
access-list Partner2 permit ip host 192.168.7.5 host 100.90.72.10
access-list Partner2 permit ip host 100.90.72.10 host 172.17.53.5
access-list Partner2_NAT permit ip host 172.20.4.205 host 172.16.7.5
access-list Partner2_NAT permit ip host 172.20.4.205 host 172.17.53.5
access-list Partner2_NAT1 permit ip host 172.20.4.205 host 172.22.13.25

global (outside) 20 100.90.72.10
global (outside) 30 100.90.72.20

nat (inside) 20 access-list NI_NAT 0 0
nat (inside) 30 access-list NI_NAT1 0 0


Site 2. Checkpoint FW NGX

Problem: when we initiate the connection the VPN Tunnel comes up and we can access there servers. but when they try to initiate the connection; i see on pix that  it stops at phase 2 of IPsec.

Question:

for inbound do we need something extra in ACL or simple VPN access-list works for both inbound and outbound. any help would be great, i really need it up
0
Comment
Question by:lomaree
5 Comments
 
LVL 1

Author Comment

by:lomaree
ID: 18010597
hi all,

please i need help here, below is what i see on my debug

IPSEC(validate_transform_proposal): proxy identities not supported

ISAKMP: IPSec policy invalidated proposal
ISAKMP (0): SA not acceptable!
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:y.y.y.y, dest:x.x.x.x spt:500 dpt:500
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
0
 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 18010924
hi there.....

one thing i am sure that this is something to do the the Checkpoint box, cuz we had exactly the same problem. There is one specific option they need to check for that......but i need to get a check on that. In the mean time you can ask them to look out for some trials... dnt do anything on pix...
0
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 18020408
This message means the networks defined at both ends don't match.  Verify that the network objects that fall under encryption on the CheckPoint box match with whatever access list you've used for encryption on the PIX.
NGX - PIX VPN setup should pretty much follow the basics in this 4.1 - PIX VPN example:

http://www.cisco.com/warp/public/110/cp-p.html
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now