5 Replies Latest reply: May 2, 2010 6:09 AM by Paul Stewart - CCIE Security RSS

    Site to Site vpn configuring on ASA5510 and CHECK POINT.

    meet_mkhan

      Hi,Experts  

       

       

       

                   I am trying to establish a site to site vpn tunnel between cisco asa5510 and check point,

       

                  when i am configured all configuration of checkpoint and asa5510 the tunnel is not  established.

       

                 and at as5510 it shows some error message pls check the attached file for configuration and sh commands.

       

       

                 kindly help me in solving this issues.Thankx a lot in advance.

        • 1. Re: Site to Site vpn configuring on ASA5510 and CHECK POINT.
          Paul Stewart  -  CCIE Security

          Cisco, does not recommend sharing the NAT acl and the crypto acl.  So I would do the following:

           

          access-list 116 extended permit ip 192.168.11.0 255.255.255.0 62.x.x.x 255.255.255.0

          crypto map map1 10 match address 116

           

          This certainly may still not resolve the problem.  The error seems to me to indicate that phase 2 is not happy.  It seems that phase 1 is working properly both  as an initiator and responder.  Assuming the issues persist after the above configuration changes, do the isakmp and ipsec debugs, but add 128 on to the end.  This will increase the verbosity.

          • 2. Re: Site to Site vpn configuring on ASA5510 and CHECK POINT.
            meet_mkhan

            Dear Paul,I implemented acl 116 and also added 128 at end of debugs  but same problem is coming pls check  attached file below

            • 3. Re: Site to Site vpn configuring on ASA5510 and CHECK POINT.
              Paul Stewart  -  CCIE Security

              I think there might be an issue with the phase 2 sa.  Can you double check the configuration on the Checkpoint.  Check out the following line--

               

              crypto ipsec transform-set set1 esp-aes esp-none

               

              This is the transform set applied on the ASA.  This is 128 bit aes and no authentication.  If there is an hmac authentication, the command should look like--

               

              crypto ipsec transform-set set1 esp-aes esp-sha-hmac

               

              --or--

               

              crypto ipsec transform-set set1 esp-aes esp-md5-hmac

               


              The above would need to match the checkpoint configuration.

               

              May 01 15:36:29 [IKEv1 DEBUG]: Group = 62.x.x.x, IP = 62.x.x.x, constructing qm hash payload
              May 01 15:36:29 [IKEv1 DECODE]: Group = 62.x.x.x, IP = 62.x.x.x, IKE Initiator sending 1st QM pkt: msg id = fe747cce
              <snip>
              May 01 15:36:30 [IKEv1 DEBUG]: IP = 62.x.x.x, processing SA payload
              May 01 15:36:30 [IKEv1]: IP = 62.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 100
              May 01 15:36:30 [IKEv1 DEBUG]: IP = 62.x.x.x, All SA proposals found unacceptable

              • 4. Re: Site to Site vpn configuring on ASA5510 and CHECK POINT.
                meet_mkhan

                Hi,

                 

                Thankx for rectifing the error,i had replaced the crypto ipsec transform-set set1 esp-aes esp-none  with crypto ipsec transform-set set1 esp-aes esp-sha-hmac.and i am sure that the checl point config is correct but still i am getting same error. pls find the attached file below shows u some debugging commands o/p.

                • 5. Re: Site to Site vpn configuring on ASA5510 and CHECK POINT.
                  Paul Stewart  -  CCIE Security

                  I don't see any errors related to the transform set now.  In the previous debug, there were some "All SA proposals found unacceptable".  The FSM error usually has to do with mismatched crypto acl's in the cisco world.  So the equivalent of defining the remote and local network for encryption in the Checkpoint must be confirmed to match the mirror of the access-list

                   

                  access-list 116 extended permit ip 192.168.11.0 255.255.255.0 62.x.x.x 255.255.255.0

                   

                  In other words, the phase 2 sa must be built to encrypt from 62.x.x.x/24 to 192.168.11.0/24.

                   

                  One other question, I have.  Do you know if checkpoint builds an SA for each host to host connection, or based on the rule.  My guess would be based on the rule.  However, if it attempts to build sa's for host to host, it will present like this as well.  Also, make sure PFS (perfect forward secrecy) isn't enabled on the Checkpoint.

                   

                  Also, if you have any logs on the Checkpoint, maybe see what they are telling you.  I'm not sure exactly what is going on at this point, but it seems the phase 2 sa's are still not being built correctly.