Cisco ASA to Checkpoing L2L VPN issues

I am trying to form a VPN tunnel between a Cisco ASA 5540 and a third party managed Checkpoint firewall.  Since I cannot see the config on the Checkpoint, I am hoping that someone can perhaps point me in the right direction.

Phase 1 completes between the two firewalls but Phase 2 initiates and dies.  To my knowledge it looks like an encryption domain issue, but the 3rd party assures me that they have the correct subnets configured.

When I try to initiate a tunnel I receive the following messages:

Group = 1.1.1.1, IP = 1.1.1.1 PHASE 1 COMPLETED
Group = 1.1.1.1, IP = 1.1.1.1 , received non-routine Notify Message: Invalid ID (18)
Group = 1.1.1.1, IP = 1.1.1.1, QM FSM error (P2 struct..........)
Group = 1.1.1.1, IP = 1.1.1.1, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Group = 1.1.1.1, IP = 1.1.1.1, Removing Peer from correlator table failed, no match!

If anyone has had any experience with Cisco to Checkpoint VPN, it seems checkpoint also have an option to specify tunnel types [one vpn per host pair]  or [one vpn tunnel per subnet pair] - not sure which one the 3rd party should be using.


Many thanks
krisleesonAsked:
Who is Participating?
 
gavvingConnect With a Mentor Commented:
FYI I've run into this type of problem alot when trying to get a tunnel to a Checkpoint firewall.   The problem appears to be that Checkpoint will summarize the IP blocks it presents as the remote proxy (encryption domain), even though the checkpoint admin didn't set it that way.  I've had remote admin's tell me specifically what IP blocks they have configured in their encryption domain and it doesn't match the proposal that the Cisco sees.  

In the past I was able to fix this by initiating debug traffic on the cisco so that I could actually see the proposal the Checkpoint was sending, then configure the Cisco to match those IP networks and subnets.  This was relatively easy on 6.3, but on 7.x and higher it's a bit more of a hassle.  I believe you'd need to enable almost the full level debug to see the data needed.  For example:

debug crypto ipsec 240
(although I'm not sure that 240 will show what you need, you may want to work your way up from there to 255)

Then you just have to filter through the debug detail to get the proposal information that the Checkpoint is sending.

If there's anyway to have the Checkpoint admin find this information out, I've never run across it...

0
 
gavvingCommented:
FYI while doing some troubleshooting today for a different purpose I did confirm that lvl '240' is enough for the ASA to show you the Subnet in the Ipsec proposal.  Once you find out what the checkpoint is sending you can match it and should be able to get the tunnel working.
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.