Skip navigation
Cisco Learning Home > Certifications > Security (CCSP) Retired > Discussions

_Communities

13150 Views 5 Replies Latest reply: May 2, 2010 6:09 AM by Paul Stewart - CCIE Security, CCSI RSS

Currently Being Moderated

Site to Site vpn configuring on ASA5510 and CHECK POINT.

May 1, 2010 3:00 PM

meet_mkhan 62 posts since
May 1, 2010

Hi,Experts  

 

 

 

             I am trying to establish a site to site vpn tunnel between cisco asa5510 and check point,

 

            when i am configured all configuration of checkpoint and asa5510 the tunnel is not  established.

 

           and at as5510 it shows some error message pls check the attached file for configuration and sh commands.

 

 

           kindly help me in solving this issues.Thankx a lot in advance.

Attachments:
  • Paul Stewart  -  CCIE Security, CCSI 6,986 posts since
    Jul 18, 2008

    Cisco, does not recommend sharing the NAT acl and the crypto acl.  So I would do the following:

     

    access-list 116 extended permit ip 192.168.11.0 255.255.255.0 62.x.x.x 255.255.255.0

    crypto map map1 10 match address 116

     

    This certainly may still not resolve the problem.  The error seems to me to indicate that phase 2 is not happy.  It seems that phase 1 is working properly both  as an initiator and responder.  Assuming the issues persist after the above configuration changes, do the isakmp and ipsec debugs, but add 128 on to the end.  This will increase the verbosity.

  • Paul Stewart  -  CCIE Security, CCSI 6,986 posts since
    Jul 18, 2008

    I think there might be an issue with the phase 2 sa.  Can you double check the configuration on the Checkpoint.  Check out the following line--

     

    crypto ipsec transform-set set1 esp-aes esp-none

     

    This is the transform set applied on the ASA.  This is 128 bit aes and no authentication.  If there is an hmac authentication, the command should look like--

     

    crypto ipsec transform-set set1 esp-aes esp-sha-hmac

     

    --or--

     

    crypto ipsec transform-set set1 esp-aes esp-md5-hmac

     


    The above would need to match the checkpoint configuration.

     

    May 01 15:36:29 [IKEv1 DEBUG]: Group = 62.x.x.x, IP = 62.x.x.x, constructing qm hash payload
    May 01 15:36:29 [IKEv1 DECODE]: Group = 62.x.x.x, IP = 62.x.x.x, IKE Initiator sending 1st QM pkt: msg id = fe747cce
    <snip>
    May 01 15:36:30 [IKEv1 DEBUG]: IP = 62.x.x.x, processing SA payload
    May 01 15:36:30 [IKEv1]: IP = 62.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 100
    May 01 15:36:30 [IKEv1 DEBUG]: IP = 62.x.x.x, All SA proposals found unacceptable

  • Paul Stewart  -  CCIE Security, CCSI 6,986 posts since
    Jul 18, 2008

    I don't see any errors related to the transform set now.  In the previous debug, there were some "All SA proposals found unacceptable".  The FSM error usually has to do with mismatched crypto acl's in the cisco world.  So the equivalent of defining the remote and local network for encryption in the Checkpoint must be confirmed to match the mirror of the access-list

     

    access-list 116 extended permit ip 192.168.11.0 255.255.255.0 62.x.x.x 255.255.255.0

     

    In other words, the phase 2 sa must be built to encrypt from 62.x.x.x/24 to 192.168.11.0/24.

     

    One other question, I have.  Do you know if checkpoint builds an SA for each host to host connection, or based on the rule.  My guess would be based on the rule.  However, if it attempts to build sa's for host to host, it will present like this as well.  Also, make sure PFS (perfect forward secrecy) isn't enabled on the Checkpoint.

     

    Also, if you have any logs on the Checkpoint, maybe see what they are telling you.  I'm not sure exactly what is going on at this point, but it seems the phase 2 sa's are still not being built correctly.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)