I am having issues configuring a site-2-site VPN between a cisco IOS router and a checkpoint NRX firewall,
Now i have checked and double checked the IKE proposals and lifetime values, key etc (although i believe these are option, i like to make sure everything matches ecspecially when going from ove vendor to another)
Now this is the debug on our cisco device:
#ping x.x.x.x sou fa0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.224.128.20, timeout is 2 seconds:
Packet sent with a source address of 188.8.131.52
Jan 20 12:22:14: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 184.108.40.206, remote= 220.127.116.11,
local_proxy= 136.x.191.x/255.255.255.224/0/0 (type=4),
remote_proxy= 10.x.128.x/255.255.255.128/0/0 (type=4),
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x784DD929(2018367785), conn_id= 0, keysize= 256, flags= 0x400A
Jan 20 12:22:14: ISAKMP: received ke message (1/1)
Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
Jan 20 12:22:14: ISAKMP: Created a peer struct for 193.182.x.x, peer port 500
Jan 20 12:22:14: ISAKMP: New peer created peer = 0x63A48C84 peer_handle = 0x80000006
Jan 20 12:22:14: ISAKMP: Locking peer struct 0x63A48C84, IKE refcount 1 for isakmp_initiator
Jan 20 12:22:14: ISAKMP: local port 500, remote port 500
Jan 20 12:22:14: ISAKMP: set new node 0 to QM_IDLE
Jan 20 12:22:14: insert sa successfully sa = 63A493F4
Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 18.104.22.168
Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1
Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
Jan 20 12:22:14: ISAKMP:(0:0:N/A:0): sending packet to 193.182.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
Jan 20 12:22:14: ISAKMP (0:0): received packet from 193.182.x.x dport 500 sport 500 Global (I) MM_NO_STATE
Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Couldn't find node: message_id 1487415557
Jan 20 12:22:14: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jan 20 12:22:14: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_I_MM1
Jan 20 12:22:14: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 193.182.x.x ..
I have read alot of articles online that say the supernetting is handled different betwen checkpoint and cisco, but i dont think i am even getting that far in the process ...
The error shown on the checkpoint side shows "IKE: Main Mode Failed to match proposal: Transform: AES-256, SHA1, Group 2 (1024 bit) Reason: Wrong value for: Authentication Method"
Any ideas welcome
did you solve your problem? I am facing the same problem and I am not aware of which parameters of the two IPSec phases are wrong.
I set up authentication method to pre-shared in the isakmp policy:
isakmp policy 1
Were something wrong on the other side at Check Point Firewall? I would be glad if you provide a help.
Michal, welcome to the CLN!!
You may want to start a new thread of your own, to ensure people do not get confused with the first post. and post up some snapshots of debugging, etc as you saw above. Posting sanitized copies of the related configuration may also help.
In the end Michal, it came down to the config was good, but for whatever reason version R70 of checkpoint would not form a VPN with the cisco vpnrouter,
However the same config worked fine going to another cisco router or older checkpoint (r65), googling around it is not that too uncommon to run into this issue with mixed vendors.
I know we had a similar issues with a cisco ios to pfsense box .... we could get AES working, but 3DES was fine
Hi guys, I haven't tried checkpoint but have tried with Fortigate before. In fortigate, there was an option to select either Main Mode or Aggressive mode. I wonder if we have an option also in IOS or ASA to select which mode to use. Also, there was an option for dead peer detection with fortigate. So any mismatch on this might also cause issues in bringing up the tunnel.
Do you also have that 2 options on checkpoint?