VPN tunnel from PIX to CheckPoint (Behind F5 BigIP)

Is there a way to setup a VPN tunnel from a PIX to a Checkpoint Firewall (with its external interface running with a private IP address) behind a F5 BigIP that is NATing a Public IP address to the private IP address.  

When debuging I get the following error message:
crypto_isakmp_process_block:src:152.200.x.x, dest: 129.41.x.x spt:500 dpt:500
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload

Who is Participating?
You will need to configure both ends for NAT Traversal (NAT-T). NAT traversal makes both parties NAT aware, encapsulating IPsec within a UDP wrapper on port 4500 and correcting TCP or UDP header checksums that would otherwise be invalidated by translation.

Make sure you're not using Authentication Header (AH).  AH includes integrity protection over the IP header.  This means that changing the destination IP address (for example, when a virtual server translates the destination address from the virtual server address to the end point address) will cause a connection to fail.

Check the time and date of  both boxes (pix and checkpoint) , need to be  equal.

According to Cisco, this means that the ISAKMP keys do not match. Rekey/reset in order to ensure accuracy.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.