manuverhaegen
asked on
ipsec tunnel comme not up
ipsec tunnel comme not up
Router HP comware router
Config remote site :
-------------------------- --
IKE phase1
encryption des
authen MD5
diffie-hellman group Group2 1024bit
renegotiatie every 480 minutes
testpassword
IPSEC phase
encryption des
authen MD5
EPF diffie hellman groep sup not selected
renegotiatie 3600 sec
LAN 172.x.x.0 /24
WAN 203.x.x.x
Config my side :
-----------------------
acl number 3001
rule permit ip source 192.168.x.0 0.0.0.255 destination 172.x.x.x 0.0.0.255
quit
ike local-name vpntun01
ike proposal 1
encryption-algorithm des-cbc
authentication-algorithm md5
dh group2
sa duration 28800
quit
ike peer vpntun01
exchange-mode aggressive
pre-shared-key simple testpassword
proposal 1
local-address 192.168.x.x
remote-address 172.x.x.x
quit
ipsec transform-set 1
transform esp
esp encryption-algorithm des
esp authentication-algorithm md5
quit
ipsec profile vpntun01
ike-peer vpntun01
transform-set 1
sa duration time-based 3600
quit
interface tunnel 1
ip address 1.1.1.1 24
tunnel-protocol ipsec ipv4
source gigabitethernet 0/1
destination 203.x.x.x
ipsec profile vpntun01
quit
ip route-static 172.x.x.x 255.255.255.0 tunnel 1
Log file :
*Nov 28 20:34:19:477 2016 Router1 IPSEC/7/DBG: IPsec_SA:ipsec acquire sa, use ike peer name: "vpntun01".
*Nov 28 20:34:19:477 2016 Router1 TUNNEL/7/debug:
Tunnel1 can't come up because:
*Nov 28 20:34:19:478 2016 Router1 TUNNEL/7/debug:
Failed to check the submodule
*Nov 28 20:34:19:490 2016 Router1 IKE/7/DEBUG: IKE receive acquire SA request, IKE peer name:vpntun01.
*Nov 28 20:34:19:490 2016 Router1 IKE/7/DEBUG: Connection name is 202.x.x.x,203.x.x.x,500,,0 ,1,1
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: Check connection: SA for 202.x.x.x,203.x.x.x,500,,0 ,1,1 missing
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange lookup :name = 202.x.x.x,203.x.x.x,500,,0 ,1,1 phase = 2
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange lookup :name = 202.x.x.x,203.x.x.x,500,,0 ,0,0 phase = 1
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange setup(I): a4c3250
*Nov 28 20:34:19:641 2016 Router1 IKE/7/DEBUG: create udp resource:name = 202.x.x.x,203.x.x.x,500,,0 ,0,0.
*Nov 28 20:34:19:691 2016 Router1 IKE/7/DEBUG: add payload to message: SA
*Nov 28 20:34:19:791 2016 Router1 IKE/7/DEBUG: DOI: 1
*Nov 28 20:34:19:892 2016 Router1 IKE/7/DEBUG: add payload to message: PROPOSAL
*Nov 28 20:34:19:992 2016 Router1 IKE/7/DEBUG: NO: 1
*Nov 28 20:34:20:142 2016 Router1 IKE/7/DEBUG: PROTO: ISAKMP
*Nov 28 20:34:20:242 2016 Router1 IKE/7/DEBUG: SPI_SZ: 0
*Nov 28 20:34:20:392 2016 Router1 IKE/7/DEBUG: NTRANSFORMS: 1
*Nov 28 20:34:20:443 2016 Router1 IKE/7/DEBUG: add payload to message: TRANSFORM
*Nov 28 20:34:20:593 2016 Router1 IKE/7/DEBUG: NO: 0
*Nov 28 20:34:20:643 2016 Router1 IKE/7/DEBUG: ID: 1
*Nov 28 20:34:20:693 2016 Router1 IKE/7/DEBUG: Transform 0's attributes
*Nov 28 20:34:20:793 2016 Router1 IKE/7/DEBUG: Attribute ENCRYPTION_ALGORITHM : DES_CBC
*Nov 28 20:34:20:843 2016 Router1 IKE/7/DEBUG: Attribute HASH_ALGORITHM : MD5
*Nov 28 20:34:20:894 2016 Router1 IKE/7/DEBUG: Attribute AUTHENTICATION_METHOD : PRE_SHARED
*Nov 28 20:34:20:994 2016 Router1 IKE/7/DEBUG: Attribute GROUP_DESCRIPTION : MODP_1024
*Nov 28 20:34:21:044 2016 Router1 IKE/7/DEBUG: Attribute LIFE_TYPE : SECONDS
*Nov 28 20:34:21:144 2016 Router1 IKE/7/DEBUG: Attribute LIFE_DURATION : 28800
*Nov 28 20:34:21:194 2016 Router1 IKE/7/DEBUG: P1 initiator send SA message.
*Nov 28 20:34:21:245 2016 Router1 IKE/7/DEBUG: add payload to message: KEY_EXCH
*Nov 28 20:34:21:345 2016 Router1 IKE/7/DEBUG: Group ID: 2
*Nov 28 20:34:21:445 2016 Router1 IKE/7/DEBUG: add payload to message: NONCE
*Nov 28 20:34:21:495 2016 Router1 IKE/7/DEBUG: add payload to message: VENDOR
*Nov 28 20:34:21:595 2016 Router1 IKE/7/DEBUG:
IKE_DPD: send VID : afcad713 68a1f1c9 6b8696fc 77570100 (DPD)
*Nov 28 20:34:21:695 2016 Router1 IKE/7/DEBUG: add payload to message: ID
*Nov 28 20:34:21:796 2016 Router1 IKE/7/DEBUG: TYPE: 1
*Nov 28 20:34:21:846 2016 Router1 IKE/7/DEBUG: DOI_DATA: 0x000000
*Nov 28 20:34:21:946 2016 Router1 IKE/7/DEBUG: exchange check: checking for required SA
*Nov 28 20:34:22:046 2016 Router1 IKE/7/DEBUG: exchange check: checking for required KEY_EXCH
*Nov 28 20:34:22:096 2016 Router1 IKE/7/DEBUG: exchange check: checking for required NONCE
*Nov 28 20:34:22:197 2016 Router1 IKE/7/DEBUG: exchange check: checking for required ID
*Nov 28 20:34:22:247 2016 Router1 IKE/7/DEBUG: send message:
*Nov 28 20:34:22:397 2016 Router1 IKE/7/DEBUG: ICOOKIE: 0x62c513d54755f1b6
*Nov 28 20:34:22:447 2016 Router1 IKE/7/DEBUG: RCOOKIE: 0x0000000000000000
*Nov 28 20:34:22:497 2016 Router1 IKE/7/DEBUG: NEXT_PAYLOAD: SA
*Nov 28 20:34:22:597 2016 Router1 IKE/7/DEBUG: VERSION: 16
*Nov 28 20:34:22:699 2016 Router1 IKE/7/DEBUG: EXCH_TYPE: AGGRESSIVE
*Nov 28 20:34:22:799 2016 Router1 IKE/7/DEBUG: FLAGS: [ ]
*Nov 28 20:34:22:899 2016 Router1 IKE/7/DEBUG: MESSAGE_ID: 0x00000000
*Nov 28 20:34:22:949 2016 Router1 IKE/7/DEBUG: LENGTH: 268
*Nov 28 20:34:23:050 2016 Router1 IKE/7/DEBUG: exchange state machine(I): finished step 0, advancing...
*Nov 28 20:34:23:100 2016 Router1 IPSEC/7/DBG:
Entering IPsec NAT bypass pross.
*Nov 28 20:34:23:200 2016 Router1 IPSEC/7/DBG:
ipsec nat bypass is not enable.
*Nov 28 20:34:24:477 2016 Router1 IPSEC/7/DBG: IPsec_SA:
IPsec SA is negotiating.
*Nov 28 20:34:24:477 2016 Router1 TUNNEL/7/debug:
Tunnel1 can't come up because:
*Nov 28 20:34:24:477 2016 Router1 TUNNEL/7/debug:
Failed to check the submodule
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG: send message:
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG: ICOOKIE: 0x62c513d54755f1b6
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG: RCOOKIE: 0x0000000000000000
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG: NEXT_PAYLOAD: SA
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG: VERSION: 16
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG: EXCH_TYPE: AGGRESSIVE
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG: FLAGS: [ ]
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG: MESSAGE_ID: 0x00000000
*Nov 28 20:34:28:550 2016 Router1 IKE/7/DEBUG: LENGTH: 268
*Nov 28 20:34:28:650 2016 Router1 IPSEC/7/DBG:
Entering IPsec NAT bypass pross.
Router HP comware router
Config remote site :
--------------------------
IKE phase1
encryption des
authen MD5
diffie-hellman group Group2 1024bit
renegotiatie every 480 minutes
testpassword
IPSEC phase
encryption des
authen MD5
EPF diffie hellman groep sup not selected
renegotiatie 3600 sec
LAN 172.x.x.0 /24
WAN 203.x.x.x
Config my side :
-----------------------
acl number 3001
rule permit ip source 192.168.x.0 0.0.0.255 destination 172.x.x.x 0.0.0.255
quit
ike local-name vpntun01
ike proposal 1
encryption-algorithm des-cbc
authentication-algorithm md5
dh group2
sa duration 28800
quit
ike peer vpntun01
exchange-mode aggressive
pre-shared-key simple testpassword
proposal 1
local-address 192.168.x.x
remote-address 172.x.x.x
quit
ipsec transform-set 1
transform esp
esp encryption-algorithm des
esp authentication-algorithm md5
quit
ipsec profile vpntun01
ike-peer vpntun01
transform-set 1
sa duration time-based 3600
quit
interface tunnel 1
ip address 1.1.1.1 24
tunnel-protocol ipsec ipv4
source gigabitethernet 0/1
destination 203.x.x.x
ipsec profile vpntun01
quit
ip route-static 172.x.x.x 255.255.255.0 tunnel 1
Log file :
*Nov 28 20:34:19:477 2016 Router1 IPSEC/7/DBG: IPsec_SA:ipsec acquire sa, use ike peer name: "vpntun01".
*Nov 28 20:34:19:477 2016 Router1 TUNNEL/7/debug:
Tunnel1 can't come up because:
*Nov 28 20:34:19:478 2016 Router1 TUNNEL/7/debug:
Failed to check the submodule
*Nov 28 20:34:19:490 2016 Router1 IKE/7/DEBUG: IKE receive acquire SA request, IKE peer name:vpntun01.
*Nov 28 20:34:19:490 2016 Router1 IKE/7/DEBUG: Connection name is 202.x.x.x,203.x.x.x,500,,0
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: Check connection: SA for 202.x.x.x,203.x.x.x,500,,0
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange lookup :name = 202.x.x.x,203.x.x.x,500,,0
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange lookup :name = 202.x.x.x,203.x.x.x,500,,0
*Nov 28 20:34:19:491 2016 Router1 IKE/7/DEBUG: exchange setup(I): a4c3250
*Nov 28 20:34:19:641 2016 Router1 IKE/7/DEBUG: create udp resource:name = 202.x.x.x,203.x.x.x,500,,0
*Nov 28 20:34:19:691 2016 Router1 IKE/7/DEBUG: add payload to message: SA
*Nov 28 20:34:19:791 2016 Router1 IKE/7/DEBUG: DOI: 1
*Nov 28 20:34:19:892 2016 Router1 IKE/7/DEBUG: add payload to message: PROPOSAL
*Nov 28 20:34:19:992 2016 Router1 IKE/7/DEBUG: NO: 1
*Nov 28 20:34:20:142 2016 Router1 IKE/7/DEBUG: PROTO: ISAKMP
*Nov 28 20:34:20:242 2016 Router1 IKE/7/DEBUG: SPI_SZ: 0
*Nov 28 20:34:20:392 2016 Router1 IKE/7/DEBUG: NTRANSFORMS: 1
*Nov 28 20:34:20:443 2016 Router1 IKE/7/DEBUG: add payload to message: TRANSFORM
*Nov 28 20:34:20:593 2016 Router1 IKE/7/DEBUG: NO: 0
*Nov 28 20:34:20:643 2016 Router1 IKE/7/DEBUG: ID: 1
*Nov 28 20:34:20:693 2016 Router1 IKE/7/DEBUG: Transform 0's attributes
*Nov 28 20:34:20:793 2016 Router1 IKE/7/DEBUG: Attribute ENCRYPTION_ALGORITHM : DES_CBC
*Nov 28 20:34:20:843 2016 Router1 IKE/7/DEBUG: Attribute HASH_ALGORITHM : MD5
*Nov 28 20:34:20:894 2016 Router1 IKE/7/DEBUG: Attribute AUTHENTICATION_METHOD : PRE_SHARED
*Nov 28 20:34:20:994 2016 Router1 IKE/7/DEBUG: Attribute GROUP_DESCRIPTION : MODP_1024
*Nov 28 20:34:21:044 2016 Router1 IKE/7/DEBUG: Attribute LIFE_TYPE : SECONDS
*Nov 28 20:34:21:144 2016 Router1 IKE/7/DEBUG: Attribute LIFE_DURATION : 28800
*Nov 28 20:34:21:194 2016 Router1 IKE/7/DEBUG: P1 initiator send SA message.
*Nov 28 20:34:21:245 2016 Router1 IKE/7/DEBUG: add payload to message: KEY_EXCH
*Nov 28 20:34:21:345 2016 Router1 IKE/7/DEBUG: Group ID: 2
*Nov 28 20:34:21:445 2016 Router1 IKE/7/DEBUG: add payload to message: NONCE
*Nov 28 20:34:21:495 2016 Router1 IKE/7/DEBUG: add payload to message: VENDOR
*Nov 28 20:34:21:595 2016 Router1 IKE/7/DEBUG:
IKE_DPD: send VID : afcad713 68a1f1c9 6b8696fc 77570100 (DPD)
*Nov 28 20:34:21:695 2016 Router1 IKE/7/DEBUG: add payload to message: ID
*Nov 28 20:34:21:796 2016 Router1 IKE/7/DEBUG: TYPE: 1
*Nov 28 20:34:21:846 2016 Router1 IKE/7/DEBUG: DOI_DATA: 0x000000
*Nov 28 20:34:21:946 2016 Router1 IKE/7/DEBUG: exchange check: checking for required SA
*Nov 28 20:34:22:046 2016 Router1 IKE/7/DEBUG: exchange check: checking for required KEY_EXCH
*Nov 28 20:34:22:096 2016 Router1 IKE/7/DEBUG: exchange check: checking for required NONCE
*Nov 28 20:34:22:197 2016 Router1 IKE/7/DEBUG: exchange check: checking for required ID
*Nov 28 20:34:22:247 2016 Router1 IKE/7/DEBUG: send message:
*Nov 28 20:34:22:397 2016 Router1 IKE/7/DEBUG: ICOOKIE: 0x62c513d54755f1b6
*Nov 28 20:34:22:447 2016 Router1 IKE/7/DEBUG: RCOOKIE: 0x0000000000000000
*Nov 28 20:34:22:497 2016 Router1 IKE/7/DEBUG: NEXT_PAYLOAD: SA
*Nov 28 20:34:22:597 2016 Router1 IKE/7/DEBUG: VERSION: 16
*Nov 28 20:34:22:699 2016 Router1 IKE/7/DEBUG: EXCH_TYPE: AGGRESSIVE
*Nov 28 20:34:22:799 2016 Router1 IKE/7/DEBUG: FLAGS: [ ]
*Nov 28 20:34:22:899 2016 Router1 IKE/7/DEBUG: MESSAGE_ID: 0x00000000
*Nov 28 20:34:22:949 2016 Router1 IKE/7/DEBUG: LENGTH: 268
*Nov 28 20:34:23:050 2016 Router1 IKE/7/DEBUG: exchange state machine(I): finished step 0, advancing...
*Nov 28 20:34:23:100 2016 Router1 IPSEC/7/DBG:
Entering IPsec NAT bypass pross.
*Nov 28 20:34:23:200 2016 Router1 IPSEC/7/DBG:
ipsec nat bypass is not enable.
*Nov 28 20:34:24:477 2016 Router1 IPSEC/7/DBG: IPsec_SA:
IPsec SA is negotiating.
*Nov 28 20:34:24:477 2016 Router1 TUNNEL/7/debug:
Tunnel1 can't come up because:
*Nov 28 20:34:24:477 2016 Router1 TUNNEL/7/debug:
Failed to check the submodule
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG: send message:
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG: ICOOKIE: 0x62c513d54755f1b6
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG: RCOOKIE: 0x0000000000000000
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG: NEXT_PAYLOAD: SA
*Nov 28 20:34:28:499 2016 Router1 IKE/7/DEBUG: VERSION: 16
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG: EXCH_TYPE: AGGRESSIVE
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG: FLAGS: [ ]
*Nov 28 20:34:28:500 2016 Router1 IKE/7/DEBUG: MESSAGE_ID: 0x00000000
*Nov 28 20:34:28:550 2016 Router1 IKE/7/DEBUG: LENGTH: 268
*Nov 28 20:34:28:650 2016 Router1 IPSEC/7/DBG:
Entering IPsec NAT bypass pross.
This is site-to-site, correct? Change aggressive mode to Main Mode and turn on NAT Traversal. See if one or both changes help.
ASKER
I have change aggressive mode to Main Mode and turn on NAT Traversal
Tunnel comme not up
Logfile remote Site
Mon Nov 28 21:45:23 2016 (GMT +0100): [FVS336GV3] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1.
Mon Nov 28 21:45:23 2016 (GMT +0100): [FVS336GV3] [IKE] ERROR: Invalid SA protocol type: 0
Mon Nov 28 21:44:52 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: Configuration found for 202.x.x.x.
Mon Nov 28 21:44:52 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: accept a request to establish IKE-SA: 202.x.x.x
Mon Nov 28 21:44:48 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: Configuration found for 202.x.x.x.
Mon Nov 28 21:44:48 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: accept a request to establish IKE-SA: 202.x.x.x
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 9
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 8
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 4
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: Beginning Identity Protection mode.
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: Initiating new phase 1 negotiation: 203.x.x.x[500]<=>202.x.x.x [500]
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: Configuration found for 202.x.x.x.
Mon Nov 28 20:44:40 2016 (GMT +0000): [FVS336GV3] [IKE] INFO: accept a request to establish IKE-SA: 202.x.x.x
Tunnel comme not up
Logfile remote Site
Mon Nov 28 21:45:23 2016 (GMT +0100): [FVS336GV3] [IKE] ERROR: Phase 2 negotiation failed due to time up waiting for phase1.
Mon Nov 28 21:45:23 2016 (GMT +0100): [FVS336GV3] [IKE] ERROR: Invalid SA protocol type: 0
Mon Nov 28 21:44:52 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: Configuration found for 202.x.x.x.
Mon Nov 28 21:44:52 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: accept a request to establish IKE-SA: 202.x.x.x
Mon Nov 28 21:44:48 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: Configuration found for 202.x.x.x.
Mon Nov 28 21:44:48 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: accept a request to establish IKE-SA: 202.x.x.x
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 9
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 8
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: [isakmp_ident.c:190]: XXX: setting vendorid: 4
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: Beginning Identity Protection mode.
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: Initiating new phase 1 negotiation: 203.x.x.x[500]<=>202.x.x.x
Mon Nov 28 21:44:40 2016 (GMT +0100): [FVS336GV3] [IKE] INFO: Configuration found for 202.x.x.x.
Mon Nov 28 20:44:40 2016 (GMT +0000): [FVS336GV3] [IKE] INFO: accept a request to establish IKE-SA: 202.x.x.x
Phase 2 negotiation failed due to time up waiting for phase1.
encryption-algorithm des-cbc
authentication-algorithm md5
dh group2
This does not precisely match the other end (but I am not completely familiar with command line Cisco).
What is des-cbc on your end compared to des on remote end?
EPF diffie hellman groep sup not selected <-- Is PFS disabled? I keep it disabled and then DH Group 2 is not part of phase 2.
encryption-algorithm des-cbc
authentication-algorithm md5
dh group2
This does not precisely match the other end (but I am not completely familiar with command line Cisco).
What is des-cbc on your end compared to des on remote end?
EPF diffie hellman groep sup not selected <-- Is PFS disabled? I keep it disabled and then DH Group 2 is not part of phase 2.
ASKER
yes, there is a difference in des-cbc and des
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The options on both firewall's are different.
For Ckeckpoint
IKE: 3DES, AES-128, AES256, DES, CAST
IPSEC: 3DES, AES-128, AES-256, DES, CAST, DES-40CP, CAST-40
For cisco
IKE: 3des-cbc, aes-cbc, des-cbc
IPSEc : 3des, aes-cbc-128,aes-cbc-192,ae s-cbc-256,
aes-ctr-128,aes-ctr-192,ae s-ctr-256, des
For Ckeckpoint
IKE: 3DES, AES-128, AES256, DES, CAST
IPSEC: 3DES, AES-128, AES-256, DES, CAST, DES-40CP, CAST-40
For cisco
IKE: 3des-cbc, aes-cbc, des-cbc
IPSEc : 3des, aes-cbc-128,aes-cbc-192,ae
aes-ctr-128,aes-ctr-192,ae
The phases must match and when they do not (as your logs say) then you cannot connect. You may need to replace the Checkpoint VPN with a Cisco VPN box.
ASKER
This is not at solution for me, we have more then 150 customers with different Firewall's. We can not ask to custommers to buy cisco.
You need then to call Checkpoint Support, lodge a case and see if they can match the Cisco VPN settings.
Thanks. If you call Checkpoint and need more help, post again and we can assist.