6 Replies Latest reply: Mar 4, 2013 4:20 AM by sparky RSS

    site2site vpn between ios - checkpoint


      I am having issues configuring a site-2-site VPN between a cisco IOS router and a checkpoint NRX firewall,

      Now i have checked and double checked the IKE proposals and lifetime values, key etc  (although i believe these are option, i like to make sure everything matches ecspecially when going from ove vendor to another)


      Now this is the debug on our cisco device:



      #ping x.x.x.x sou fa0/0



      Type escape sequence to abort.

      Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:

      Packet sent with a source address of



      Jan 20 12:22:14: IPSEC(sa_request): ,

        (key eng. msg.) OUTBOUND local=, remote=,

          local_proxy= 136.x.191.x/ (type=4),

          remote_proxy= 10.x.128.x/ (type=4),

          protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),

          lifedur= 3600s and 4608000kb,

          spi= 0x784DD929(2018367785), conn_id= 0, keysize= 256, flags= 0x400A

      Jan 20 12:22:14: ISAKMP: received ke message (1/1)

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)

      Jan 20 12:22:14: ISAKMP: Created a peer struct for 193.182.x.x, peer port 500

      Jan 20 12:22:14: ISAKMP: New peer created peer = 0x63A48C84 peer_handle = 0x80000006

      Jan 20 12:22:14: ISAKMP: Locking peer struct 0x63A48C84, IKE refcount 1 for isakmp_initiator

      Jan 20 12:22:14: ISAKMP: local port 500, remote port 500

      Jan 20 12:22:14: ISAKMP: set new node 0 to QM_IDLE     

      Jan 20 12:22:14: insert sa successfully sa = 63A493F4

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1



      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): sending packet to 193.182.x.x my_port 500 peer_port 500 (I) MM_NO_STATE

      Jan 20 12:22:14: ISAKMP (0:0): received packet from 193.182.x.x dport 500 sport 500 Global (I) MM_NO_STATE

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Couldn't find node: message_id 1487415557

      Jan 20 12:22:14: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM1

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

      Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM1



      Jan 20 12:22:14: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 193.182.x.x    ..



      I have read alot of articles online that say the supernetting is handled different betwen checkpoint and cisco, but i dont think i am even getting that far in the process ...



      The error shown on the checkpoint side shows "IKE: Main Mode Failed to match proposal: Transform: AES-256, SHA1, Group 2 (1024 bit) Reason: Wrong value for: Authentication Method"

      Any ideas welcome